From aecf355582778ccde6b6803e71f85e71f5f9bfef Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 30 Sep 2020 12:35:13 -0500 Subject: [PATCH] Refresh beats schema for validation to 7.9.2 (#347) --- etc/beats_schemas/v7.9.2.json | 130799 +++++++++++++++++++++++++++++++ 1 file changed, 130799 insertions(+) create mode 100644 etc/beats_schemas/v7.9.2.json diff --git a/etc/beats_schemas/v7.9.2.json b/etc/beats_schemas/v7.9.2.json new file mode 100644 index 000000000..5805e0957 --- /dev/null +++ b/etc/beats_schemas/v7.9.2.json @@ -0,0 +1,130799 @@ +{ + "auditbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "Contains common fields available in all event types.\n", + "fields": [ + { + "description": "File attributes.", + "fields": [ + { + "description": "Set if the file has the `setuid` bit set. Omitted otherwise.", + "example": true, + "name": "setuid", + "type": "boolean" + }, + { + "description": "Set if the file has the `setgid` bit set. Omitted otherwise.", + "example": true, + "name": "setgid", + "type": "boolean" + }, + { + "description": "An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.\n", + "multi_fields": [ + { + "description": "This is a non-analyzed field that is useful for aggregations on the origin data.\n", + "name": "raw", + "type": "keyword" + } + ], + "name": "origin", + "type": "keyword" + }, + { + "description": "The SELinux identity of the file.", + "fields": [ + { + "description": "The owner of the object.", + "name": "user", + "type": "keyword" + }, + { + "description": "The object's SELinux role.", + "name": "role", + "type": "keyword" + }, + { + "description": "The object's SELinux domain or type.", + "name": "domain", + "type": "keyword" + }, + { + "description": "The object's SELinux level.", + "example": "s0", + "name": "level", + "type": "keyword" + } + ], + "name": "selinux", + "type": "group" + } + ], + "name": "file", + "type": "group" + }, + { + "description": "User information.", + "fields": [ + { + "description": "Audit user information.", + "fields": [ + { + "description": "Audit user ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Audit user name.", + "name": "name", + "type": "keyword" + } + ], + "name": "audit", + "type": "group" + }, + { + "description": "Effective user information.", + "fields": [ + { + "description": "Effective user ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Effective user name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Effective group information.", + "fields": [ + { + "description": "Effective group ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Effective group name.", + "name": "name", + "type": "keyword" + } + ], + "name": "group", + "type": "group" + } + ], + "name": "effective", + "type": "group" + }, + { + "description": "Filesystem user information.", + "fields": [ + { + "description": "Filesystem user ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Filesystem user name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Filesystem group information.", + "fields": [ + { + "description": "Filesystem group ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Filesystem group name.", + "name": "name", + "type": "keyword" + } + ], + "name": "group", + "type": "group" + } + ], + "name": "filesystem", + "type": "group" + }, + { + "description": "Saved user information.", + "fields": [ + { + "description": "Saved user ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Saved user name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Saved group information.", + "fields": [ + { + "description": "Saved group ID.", + "name": "id", + "type": "keyword" + }, + { + "description": "Saved group name.", + "name": "name", + "type": "keyword" + } + ], + "name": "group", + "type": "group" + } + ], + "name": "saved", + "type": "group" + } + ], + "name": "user", + "type": "group" + } + ], + "key": "common", + "title": "Common" + } + ] + } + }, + "module": { + "folders": { + "auditd": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the fields generated by the auditd module.", + "fields": [ + { + "fields": [ + { + "migration": true, + "name": "auid", + "path": "user.audit.id", + "type": "alias" + }, + { + "migration": true, + "name": "uid", + "path": "user.id", + "type": "alias" + }, + { + "migration": true, + "name": "euid", + "path": "user.effective.id", + "type": "alias" + }, + { + "migration": true, + "name": "fsuid", + "path": "user.filesystem.id", + "type": "alias" + }, + { + "migration": true, + "name": "suid", + "path": "user.saved.id", + "type": "alias" + }, + { + "migration": true, + "name": "gid", + "path": "user.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "egid", + "path": "user.effective.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "sgid", + "path": "user.saved.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "fsgid", + "path": "user.filesystem.group.id", + "type": "alias" + }, + { + "description": "If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root).\n", + "fields": [ + { + "migration": true, + "name": "auid", + "path": "user.audit.name", + "type": "alias" + }, + { + "migration": true, + "name": "uid", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "euid", + "path": "user.effective.name", + "type": "alias" + }, + { + "migration": true, + "name": "fsuid", + "path": "user.filesystem.name", + "type": "alias" + }, + { + "migration": true, + "name": "suid", + "path": "user.saved.name", + "type": "alias" + }, + { + "migration": true, + "name": "gid", + "path": "user.group.name", + "type": "alias" + }, + { + "migration": true, + "name": "egid", + "path": "user.effective.group.name", + "type": "alias" + }, + { + "migration": true, + "name": "sgid", + "path": "user.saved.group.name", + "type": "alias" + }, + { + "migration": true, + "name": "fsgid", + "path": "user.filesystem.group.name", + "type": "alias" + } + ], + "name": "name_map", + "type": "group" + }, + { + "description": "The SELinux identity of the actor.", + "fields": [ + { + "description": "account submitted for authentication", + "name": "user", + "type": "keyword" + }, + { + "description": "user's SELinux role", + "name": "role", + "type": "keyword" + }, + { + "description": "The actor's SELinux domain or type.", + "name": "domain", + "type": "keyword" + }, + { + "description": "The actor's SELinux level.", + "example": "s0", + "name": "level", + "type": "keyword" + }, + { + "description": "The actor's SELinux category or compartments.", + "name": "category", + "type": "keyword" + } + ], + "name": "selinux", + "type": "group" + } + ], + "name": "user", + "type": "group" + }, + { + "description": "Process attributes.", + "fields": [ + { + "description": "The current working directory.", + "migration": true, + "name": "cwd", + "path": "process.working_directory", + "type": "alias" + } + ], + "name": "process", + "type": "group" + }, + { + "description": "Source that triggered the event.", + "fields": [ + { + "description": "This is the path associated with a unix socket.", + "name": "path", + "type": "keyword" + } + ], + "name": "source", + "type": "group" + }, + { + "description": "Destination address that triggered the event.", + "fields": [ + { + "description": "This is the path associated with a unix socket.", + "name": "path", + "type": "keyword" + } + ], + "name": "destination", + "type": "group" + }, + { + "fields": [ + { + "description": "The audit message type (e.g. syscall or apparmor_denied).\n", + "example": "syscall", + "name": "message_type", + "type": "keyword" + }, + { + "description": "The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.\n", + "name": "sequence", + "type": "long" + }, + { + "description": "The session ID assigned to a login. All events related to a login session will have the same value.\n", + "name": "session", + "type": "keyword" + }, + { + "description": "The result of the audited operation (success/fail).", + "example": "success or fail", + "name": "result", + "type": "keyword" + }, + { + "fields": [ + { + "description": "The actor is the user that triggered the audit event.", + "fields": [ + { + "description": "The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account.\n", + "name": "primary", + "type": "keyword" + }, + { + "description": "The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`.", + "name": "secondary", + "type": "keyword" + } + ], + "name": "actor", + "type": "group" + }, + { + "description": "This is the thing or object being acted upon in the event.\n", + "fields": [ + { + "description": "A description of the what the \"thing\" is (e.g. file, socket, user-session).\n", + "name": "type", + "type": "keyword" + }, + { + "description": "", + "name": "primary", + "type": "keyword" + }, + { + "description": "", + "name": "secondary", + "type": "keyword" + } + ], + "name": "object", + "type": "group" + }, + { + "description": "This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.\n", + "name": "how", + "type": "keyword" + } + ], + "name": "summary", + "type": "group" + }, + { + "description": "List of paths associated with the event.", + "fields": [ + { + "description": "inode number", + "name": "inode", + "type": "keyword" + }, + { + "description": "device name as found in /dev", + "name": "dev", + "type": "keyword" + }, + { + "description": "", + "name": "obj_user", + "type": "keyword" + }, + { + "description": "", + "name": "obj_role", + "type": "keyword" + }, + { + "description": "", + "name": "obj_domain", + "type": "keyword" + }, + { + "description": "", + "name": "obj_level", + "type": "keyword" + }, + { + "description": "", + "name": "objtype", + "type": "keyword" + }, + { + "description": "file owner user ID", + "name": "ouid", + "type": "keyword" + }, + { + "description": "the device identifier (special files only)", + "name": "rdev", + "type": "keyword" + }, + { + "description": "kind of file operation being referenced", + "name": "nametype", + "type": "keyword" + }, + { + "description": "file owner group ID", + "name": "ogid", + "type": "keyword" + }, + { + "description": "which item is being recorded", + "name": "item", + "type": "keyword" + }, + { + "description": "mode flags on a file", + "name": "mode", + "type": "keyword" + }, + { + "description": "file name in avcs", + "name": "name", + "type": "keyword" + } + ], + "name": "paths", + "type": "group" + }, + { + "description": "The data from the audit messages.", + "fields": [ + { + "description": "netfilter packet disposition", + "name": "action", + "type": "keyword" + }, + { + "description": "device minor number", + "name": "minor", + "type": "keyword" + }, + { + "description": "a user's account name", + "name": "acct", + "type": "keyword" + }, + { + "description": "the remote address that the user is connecting from", + "name": "addr", + "type": "keyword" + }, + { + "description": "name of crypto cipher selected", + "name": "cipher", + "type": "keyword" + }, + { + "description": "during account changes", + "name": "id", + "type": "keyword" + }, + { + "description": "number of entries in the netfilter table", + "name": "entries", + "type": "keyword" + }, + { + "description": "server or client in crypto operation", + "name": "kind", + "type": "keyword" + }, + { + "description": "key size for crypto operation", + "name": "ksize", + "type": "keyword" + }, + { + "description": "sent process ID", + "name": "spid", + "type": "keyword" + }, + { + "description": "the elf architecture flags", + "name": "arch", + "type": "keyword" + }, + { + "description": "the number of arguments to an execve syscall", + "name": "argc", + "type": "keyword" + }, + { + "description": "device major number", + "name": "major", + "type": "keyword" + }, + { + "description": "systemd unit", + "name": "unit", + "type": "keyword" + }, + { + "description": "netfilter table name", + "name": "table", + "type": "keyword" + }, + { + "description": "terminal name the user is running programs on", + "name": "terminal", + "type": "keyword" + }, + { + "description": "pam modules approving the action", + "name": "grantors", + "type": "keyword" + }, + { + "description": "direction of crypto operation", + "name": "direction", + "type": "keyword" + }, + { + "description": "the operation being performed that is audited", + "name": "op", + "type": "keyword" + }, + { + "description": "tty udevice the user is running programs on", + "name": "tty", + "type": "keyword" + }, + { + "description": "syscall number in effect when the event occurred", + "name": "syscall", + "type": "keyword" + }, + { + "description": "TTY text", + "name": "data", + "type": "keyword" + }, + { + "description": "netfilter protocol", + "name": "family", + "type": "keyword" + }, + { + "description": "crypto MAC algorithm selected", + "name": "mac", + "type": "keyword" + }, + { + "description": "perfect forward secrecy method", + "name": "pfs", + "type": "keyword" + }, + { + "description": "the number of path records in the event", + "name": "items", + "type": "keyword" + }, + { + "description": "", + "name": "a0", + "type": "keyword" + }, + { + "description": "", + "name": "a1", + "type": "keyword" + }, + { + "description": "", + "name": "a2", + "type": "keyword" + }, + { + "description": "", + "name": "a3", + "type": "keyword" + }, + { + "description": "the hostname that the user is connecting from", + "name": "hostname", + "type": "keyword" + }, + { + "description": "local network port", + "name": "lport", + "type": "keyword" + }, + { + "description": "remote port number", + "name": "rport", + "type": "keyword" + }, + { + "description": "syscall exit code", + "name": "exit", + "type": "keyword" + }, + { + "description": "crypto key finger print", + "name": "fp", + "type": "keyword" + }, + { + "description": "local network address", + "name": "laddr", + "type": "keyword" + }, + { + "description": "local port number", + "name": "sport", + "type": "keyword" + }, + { + "description": "posix capabilities", + "name": "capability", + "type": "keyword" + }, + { + "description": "the number of arguments to a socket call", + "name": "nargs", + "type": "keyword" + }, + { + "description": "new TTY audit enabled setting", + "name": "new-enabled", + "type": "keyword" + }, + { + "description": "audit system's backlog queue size", + "name": "audit_backlog_limit", + "type": "keyword" + }, + { + "description": "directory name", + "name": "dir", + "type": "keyword" + }, + { + "description": "process effective capability map", + "name": "cap_pe", + "type": "keyword" + }, + { + "description": "security model being used for virt", + "name": "model", + "type": "keyword" + }, + { + "description": "new process permitted capability map", + "name": "new_pp", + "type": "keyword" + }, + { + "description": "present TTY audit enabled setting", + "name": "old-enabled", + "type": "keyword" + }, + { + "description": "object's login user ID", + "name": "oauid", + "type": "keyword" + }, + { + "description": "old value", + "name": "old", + "type": "keyword" + }, + { + "description": "banners used on printed page", + "name": "banners", + "type": "keyword" + }, + { + "description": "kernel feature being changed", + "name": "feature", + "type": "keyword" + }, + { + "description": "the vm's context string", + "name": "vm-ctx", + "type": "keyword" + }, + { + "description": "object's process ID", + "name": "opid", + "type": "keyword" + }, + { + "description": "SELinux permissions being used", + "name": "seperms", + "type": "keyword" + }, + { + "description": "SELinux AVC decision granted/denied", + "name": "seresult", + "type": "keyword" + }, + { + "description": "device name of rng being added from a vm", + "name": "new-rng", + "type": "keyword" + }, + { + "description": "present MAC address assigned to vm", + "name": "old-net", + "type": "keyword" + }, + { + "description": "signal number", + "name": "sigev_signo", + "type": "keyword" + }, + { + "description": "inode number", + "name": "ino", + "type": "keyword" + }, + { + "description": "old MAC enforcement status", + "name": "old_enforcing", + "type": "keyword" + }, + { + "description": "present number of CPU cores", + "name": "old-vcpu", + "type": "keyword" + }, + { + "description": "user's SE Linux range", + "name": "range", + "type": "keyword" + }, + { + "description": "result of the audited operation(success/fail)", + "name": "res", + "type": "keyword" + }, + { + "description": "number of new files detected", + "name": "added", + "type": "keyword" + }, + { + "description": "socket address family", + "name": "fam", + "type": "keyword" + }, + { + "description": "pid of netlink packet sender", + "name": "nlnk-pid", + "type": "keyword" + }, + { + "description": "lspp subject's context string", + "name": "subj", + "type": "keyword" + }, + { + "description": "the arguments to a syscall", + "name": "a[0-3]", + "type": "keyword" + }, + { + "description": "path to cgroup in sysfs", + "name": "cgroup", + "type": "keyword" + }, + { + "description": "kernel's version number", + "name": "kernel", + "type": "keyword" + }, + { + "description": "object's command line name", + "name": "ocomm", + "type": "keyword" + }, + { + "description": "MAC address being assigned to vm", + "name": "new-net", + "type": "keyword" + }, + { + "description": "SELinux is in permissive mode", + "name": "permissive", + "type": "keyword" + }, + { + "description": "resource class assigned to vm", + "name": "class", + "type": "keyword" + }, + { + "description": "is_compat_task result", + "name": "compat", + "type": "keyword" + }, + { + "description": "file assigned inherited capability map", + "name": "fi", + "type": "keyword" + }, + { + "description": "number of changed files", + "name": "changed", + "type": "keyword" + }, + { + "description": "the payload of the audit record", + "name": "msg", + "type": "keyword" + }, + { + "description": "remote port number", + "name": "dport", + "type": "keyword" + }, + { + "description": "new SELinux user", + "name": "new-seuser", + "type": "keyword" + }, + { + "description": "SELinux context", + "name": "invalid_context", + "type": "keyword" + }, + { + "description": "remote MAC address", + "name": "dmac", + "type": "keyword" + }, + { + "description": "IPX network number", + "name": "ipx-net", + "type": "keyword" + }, + { + "description": "ipc object's user ID", + "name": "iuid", + "type": "keyword" + }, + { + "description": "ethernet packet type ID field", + "name": "macproto", + "type": "keyword" + }, + { + "description": "lspp object context string", + "name": "obj", + "type": "keyword" + }, + { + "description": "IP datagram fragment identifier", + "name": "ipid", + "type": "keyword" + }, + { + "description": "file system being added to vm", + "name": "new-fs", + "type": "keyword" + }, + { + "description": "vm's process ID", + "name": "vm-pid", + "type": "keyword" + }, + { + "description": "process inherited capability map", + "name": "cap_pi", + "type": "keyword" + }, + { + "description": "previous auid value", + "name": "old-auid", + "type": "keyword" + }, + { + "description": "object's session ID", + "name": "oses", + "type": "keyword" + }, + { + "description": "file descriptor number", + "name": "fd", + "type": "keyword" + }, + { + "description": "ipc object's group ID", + "name": "igid", + "type": "keyword" + }, + { + "description": "disk being added to vm", + "name": "new-disk", + "type": "keyword" + }, + { + "description": "the inode number of the parent file", + "name": "parent", + "type": "keyword" + }, + { + "description": "length", + "name": "len", + "type": "keyword" + }, + { + "description": "open syscall flags", + "name": "oflag", + "type": "keyword" + }, + { + "description": "a UUID", + "name": "uuid", + "type": "keyword" + }, + { + "description": "seccomp action code", + "name": "code", + "type": "keyword" + }, + { + "description": "netlink group number", + "name": "nlnk-grp", + "type": "keyword" + }, + { + "description": "file permitted capability map", + "name": "cap_fp", + "type": "keyword" + }, + { + "description": "new amount of memory in KB", + "name": "new-mem", + "type": "keyword" + }, + { + "description": "SELinux permission being decided on", + "name": "seperm", + "type": "keyword" + }, + { + "description": "new MAC enforcement status", + "name": "enforcing", + "type": "keyword" + }, + { + "description": "new character device being assigned to vm", + "name": "new-chardev", + "type": "keyword" + }, + { + "description": "device name of rng being removed from a vm", + "name": "old-rng", + "type": "keyword" + }, + { + "description": "out interface number", + "name": "outif", + "type": "keyword" + }, + { + "description": "command being executed", + "name": "cmd", + "type": "keyword" + }, + { + "description": "netfilter hook that packet came from", + "name": "hook", + "type": "keyword" + }, + { + "description": "new run level", + "name": "new-level", + "type": "keyword" + }, + { + "description": "sent login user ID", + "name": "sauid", + "type": "keyword" + }, + { + "description": "signal number", + "name": "sig", + "type": "keyword" + }, + { + "description": "audit system's backlog wait time", + "name": "audit_backlog_wait_time", + "type": "keyword" + }, + { + "description": "printer name", + "name": "printer", + "type": "keyword" + }, + { + "description": "present amount of memory in KB", + "name": "old-mem", + "type": "keyword" + }, + { + "description": "the file permission being used", + "name": "perm", + "type": "keyword" + }, + { + "description": "old process inherited capability map", + "name": "old_pi", + "type": "keyword" + }, + { + "description": "audit daemon configuration resulting state", + "name": "state", + "type": "keyword" + }, + { + "description": "audit log's format", + "name": "format", + "type": "keyword" + }, + { + "description": "new group ID being assigned", + "name": "new_gid", + "type": "keyword" + }, + { + "description": "the target's or object's context string", + "name": "tcontext", + "type": "keyword" + }, + { + "description": "device major number", + "name": "maj", + "type": "keyword" + }, + { + "description": "file name in a watch record", + "name": "watch", + "type": "keyword" + }, + { + "description": "device name", + "name": "device", + "type": "keyword" + }, + { + "description": "group name", + "name": "grp", + "type": "keyword" + }, + { + "description": "name of SELinux boolean", + "name": "bool", + "type": "keyword" + }, + { + "description": "type of icmp message", + "name": "icmp_type", + "type": "keyword" + }, + { + "description": "new value of feature lock", + "name": "new_lock", + "type": "keyword" + }, + { + "description": "network promiscuity flag", + "name": "old_prom", + "type": "keyword" + }, + { + "description": "access mode of resource assigned to vm", + "name": "acl", + "type": "keyword" + }, + { + "description": "network address of a printer", + "name": "ip", + "type": "keyword" + }, + { + "description": "new process inherited capability map", + "name": "new_pi", + "type": "keyword" + }, + { + "description": "default MAC context", + "name": "default-context", + "type": "keyword" + }, + { + "description": "group ID of the inode's owner", + "name": "inode_gid", + "type": "keyword" + }, + { + "description": "new value for TTY password logging", + "name": "new-log_passwd", + "type": "keyword" + }, + { + "description": "new process effective capability map", + "name": "new_pe", + "type": "keyword" + }, + { + "description": "new MAC context assigned to session", + "name": "selected-context", + "type": "keyword" + }, + { + "description": "file system capabilities version number", + "name": "cap_fver", + "type": "keyword" + }, + { + "description": "file name", + "name": "file", + "type": "keyword" + }, + { + "description": "network MAC address", + "name": "net", + "type": "keyword" + }, + { + "description": "kind of virtualization being referenced", + "name": "virt", + "type": "keyword" + }, + { + "description": "process permitted capability map", + "name": "cap_pp", + "type": "keyword" + }, + { + "description": "present SELinux range", + "name": "old-range", + "type": "keyword" + }, + { + "description": "resource being assigned", + "name": "resrc", + "type": "keyword" + }, + { + "description": "new SELinux range", + "name": "new-range", + "type": "keyword" + }, + { + "description": "group ID of object", + "name": "obj_gid", + "type": "keyword" + }, + { + "description": "network protocol", + "name": "proto", + "type": "keyword" + }, + { + "description": "disk being removed from vm", + "name": "old-disk", + "type": "keyword" + }, + { + "description": "audit system's failure mode", + "name": "audit_failure", + "type": "keyword" + }, + { + "description": "in interface number", + "name": "inif", + "type": "keyword" + }, + { + "description": "virtual machine name", + "name": "vm", + "type": "keyword" + }, + { + "description": "mmap syscall flags", + "name": "flags", + "type": "keyword" + }, + { + "description": "netlink protocol number", + "name": "nlnk-fam", + "type": "keyword" + }, + { + "description": "file system being removed from vm", + "name": "old-fs", + "type": "keyword" + }, + { + "description": "previous ses value", + "name": "old-ses", + "type": "keyword" + }, + { + "description": "sequence number", + "name": "seqno", + "type": "keyword" + }, + { + "description": "file system capabilities version number", + "name": "fver", + "type": "keyword" + }, + { + "description": "ipc objects quantity of bytes", + "name": "qbytes", + "type": "keyword" + }, + { + "description": "user's SE Linux user acct", + "name": "seuser", + "type": "keyword" + }, + { + "description": "file assigned effective capability map", + "name": "cap_fe", + "type": "keyword" + }, + { + "description": "new number of CPU cores", + "name": "new-vcpu", + "type": "keyword" + }, + { + "description": "old run level", + "name": "old-level", + "type": "keyword" + }, + { + "description": "old process permitted capability map", + "name": "old_pp", + "type": "keyword" + }, + { + "description": "remote IP address", + "name": "daddr", + "type": "keyword" + }, + { + "description": "present SELinux role", + "name": "old-role", + "type": "keyword" + }, + { + "description": "The request argument to the ioctl syscall", + "name": "ioctlcmd", + "type": "keyword" + }, + { + "description": "local MAC address", + "name": "smac", + "type": "keyword" + }, + { + "description": "apparmor event information", + "name": "apparmor", + "type": "keyword" + }, + { + "description": "file assigned effective capability map", + "name": "fe", + "type": "keyword" + }, + { + "description": "file permission mask that triggered a watch event", + "name": "perm_mask", + "type": "keyword" + }, + { + "description": "login session ID", + "name": "ses", + "type": "keyword" + }, + { + "description": "file inherited capability map", + "name": "cap_fi", + "type": "keyword" + }, + { + "description": "user ID of object", + "name": "obj_uid", + "type": "keyword" + }, + { + "description": "text string denoting a reason for the action", + "name": "reason", + "type": "keyword" + }, + { + "description": "the audit system's filter list number", + "name": "list", + "type": "keyword" + }, + { + "description": "present value of feature lock", + "name": "old_lock", + "type": "keyword" + }, + { + "description": "name of subsystem bus a vm resource belongs to", + "name": "bus", + "type": "keyword" + }, + { + "description": "old process effective capability map", + "name": "old_pe", + "type": "keyword" + }, + { + "description": "new SELinux role", + "name": "new-role", + "type": "keyword" + }, + { + "description": "network promiscuity flag", + "name": "prom", + "type": "keyword" + }, + { + "description": "URI pointing to a printer", + "name": "uri", + "type": "keyword" + }, + { + "description": "audit systems's enable/disable status", + "name": "audit_enabled", + "type": "keyword" + }, + { + "description": "present value for TTY password logging", + "name": "old-log_passwd", + "type": "keyword" + }, + { + "description": "present SELinux user", + "name": "old-seuser", + "type": "keyword" + }, + { + "description": "linux personality", + "name": "per", + "type": "keyword" + }, + { + "description": "the subject's context string", + "name": "scontext", + "type": "keyword" + }, + { + "description": "target's object classification", + "name": "tclass", + "type": "keyword" + }, + { + "description": "audit daemon's version number", + "name": "ver", + "type": "keyword" + }, + { + "description": "value being set in feature", + "name": "new", + "type": "keyword" + }, + { + "description": "generic value associated with the operation", + "name": "val", + "type": "keyword" + }, + { + "description": "the vm's disk image context string", + "name": "img-ctx", + "type": "keyword" + }, + { + "description": "present character device assigned to vm", + "name": "old-chardev", + "type": "keyword" + }, + { + "description": "current value of SELinux boolean", + "name": "old_val", + "type": "keyword" + }, + { + "description": "whether the syscall was successful or not", + "name": "success", + "type": "keyword" + }, + { + "description": "user ID of the inode's owner", + "name": "inode_uid", + "type": "keyword" + }, + { + "description": "number of deleted files", + "name": "removed", + "type": "keyword" + }, + { + "fields": [ + { + "description": "The port number.", + "name": "port", + "type": "keyword" + }, + { + "description": "The raw socket address structure.", + "name": "saddr", + "type": "keyword" + }, + { + "description": "The remote address.", + "name": "addr", + "type": "keyword" + }, + { + "description": "The socket family (unix, ipv4, ipv6, netlink).", + "example": "unix", + "name": "family", + "type": "keyword" + }, + { + "description": "This is the path associated with a unix socket.", + "name": "path", + "type": "keyword" + } + ], + "name": "socket", + "type": "group" + } + ], + "name": "data", + "type": "group" + }, + { + "description": "An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.\n", + "migration": true, + "name": "messages", + "path": "event.original", + "type": "alias" + }, + { + "description": "The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.\n", + "migration": true, + "name": "warnings", + "path": "error.message", + "type": "alias" + } + ], + "name": "auditd", + "type": "group" + }, + { + "description": "The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.\n", + "fields": [ + { + "description": "The name of the continent.\n", + "name": "continent_name", + "type": "keyword" + }, + { + "description": "The name of the city.\n", + "name": "city_name", + "type": "keyword" + }, + { + "description": "The name of the region.\n", + "name": "region_name", + "type": "keyword" + }, + { + "description": "Country ISO code.\n", + "name": "country_iso_code", + "type": "keyword" + }, + { + "description": "The longitude and latitude.\n", + "name": "location", + "type": "geo_point" + } + ], + "name": "geoip", + "type": "group" + } + ], + "key": "auditd", + "title": "Auditd" + } + ] + } + } + } + }, + "file_integrity": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the fields generated by the file_integrity module.", + "fields": [ + { + "description": "Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.\n", + "fields": [ + { + "description": "BLAKE2b-256 hash of the file.", + "name": "blake2b_256", + "type": "keyword" + }, + { + "description": "BLAKE2b-384 hash of the file.", + "name": "blake2b_384", + "type": "keyword" + }, + { + "description": "BLAKE2b-512 hash of the file.", + "name": "blake2b_512", + "type": "keyword" + }, + { + "description": "MD5 hash of the file.", + "name": "md5", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SHA1 hash of the file.", + "name": "sha1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SHA224 hash of the file.", + "name": "sha224", + "type": "keyword" + }, + { + "description": "SHA256 hash of the file.", + "name": "sha256", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SHA384 hash of the file.", + "name": "sha384", + "type": "keyword" + }, + { + "description": "SHA3_224 hash of the file.", + "name": "sha3_224", + "type": "keyword" + }, + { + "description": "SHA3_256 hash of the file.", + "name": "sha3_256", + "type": "keyword" + }, + { + "description": "SHA3_384 hash of the file.", + "name": "sha3_384", + "type": "keyword" + }, + { + "description": "SHA3_512 hash of the file.", + "name": "sha3_512", + "type": "keyword" + }, + { + "description": "SHA512 hash of the file.", + "name": "sha512", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SHA512/224 hash of the file.", + "name": "sha512_224", + "type": "keyword" + }, + { + "description": "SHA512/256 hash of the file.", + "name": "sha512_256", + "type": "keyword" + }, + { + "description": "XX64 hash of the file.", + "name": "xxh64", + "type": "keyword" + } + ], + "name": "hash", + "type": "group" + } + ], + "key": "file_integrity", + "title": "File Integrity" + } + ] + } + } + } + }, + "system": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the fields generated by the system module.\n", + "fields": [ + { + "fields": [ + { + "description": "Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`).\n", + "name": "origin", + "type": "keyword" + } + ], + "name": "event", + "type": "group" + }, + { + "fields": [ + { + "description": "ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.\n", + "name": "entity_id", + "type": "keyword" + }, + { + "description": "Terminal of the user.\n", + "name": "terminal", + "type": "keyword" + } + ], + "name": "user", + "type": "group" + }, + { + "fields": [ + { + "description": "Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.\n", + "fields": [ + { + "description": "BLAKE2b-256 hash of the executable.", + "name": "blake2b_256", + "type": "keyword" + }, + { + "description": "BLAKE2b-384 hash of the executable.", + "name": "blake2b_384", + "type": "keyword" + }, + { + "description": "BLAKE2b-512 hash of the executable.", + "name": "blake2b_512", + "type": "keyword" + }, + { + "description": "SHA224 hash of the executable.", + "name": "sha224", + "type": "keyword" + }, + { + "description": "SHA384 hash of the executable.", + "name": "sha384", + "type": "keyword" + }, + { + "description": "SHA3_224 hash of the executable.", + "name": "sha3_224", + "type": "keyword" + }, + { + "description": "SHA3_256 hash of the executable.", + "name": "sha3_256", + "type": "keyword" + }, + { + "description": "SHA3_384 hash of the executable.", + "name": "sha3_384", + "type": "keyword" + }, + { + "description": "SHA3_512 hash of the executable.", + "name": "sha3_512", + "type": "keyword" + }, + { + "description": "SHA512/224 hash of the executable.", + "name": "sha512_224", + "type": "keyword" + }, + { + "description": "SHA512/256 hash of the executable.", + "name": "sha512_256", + "type": "keyword" + }, + { + "description": "XX64 hash of the executable.", + "name": "xxh64", + "type": "keyword" + } + ], + "name": "hash", + "type": "group" + } + ], + "name": "process", + "type": "group" + }, + { + "fields": [ + { + "description": "ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.\n", + "name": "entity_id", + "type": "keyword" + } + ], + "name": "socket", + "type": "group" + }, + { + "description": "", + "fields": null, + "name": "system.audit", + "type": "group" + } + ], + "key": "system", + "release": "beta", + "title": "System" + } + ] + } + }, + "host": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`host` contains general host information.\n", + "fields": [ + { + "description": "Uptime in nanoseconds.\n", + "format": "duration", + "input_format": "nanoseconds", + "name": "uptime", + "output_format": "asDays", + "output_precision": 1, + "type": "long" + }, + { + "description": "Boot time.\n", + "name": "boottime", + "type": "date" + }, + { + "description": "Set if host is a container.\n", + "name": "containerized", + "type": "boolean" + }, + { + "description": "Name of the timezone of the host, e.g. BST.\n", + "name": "timezone.name", + "type": "keyword" + }, + { + "description": "Timezone offset in seconds.\n", + "name": "timezone.offset.sec", + "type": "long" + }, + { + "description": "Hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Host ID.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Host architecture (e.g. x86_64).\n", + "name": "architecture", + "type": "keyword" + }, + { + "description": "MAC addresses.\n", + "name": "mac", + "type": "keyword" + }, + { + "description": "IP addresses.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "`os` contains information about the operating system.\n", + "fields": [ + { + "description": "OS codename, if any (e.g. stretch).\n", + "name": "codename", + "type": "keyword" + }, + { + "description": "OS platform (e.g. centos, ubuntu, windows).\n", + "name": "platform", + "type": "keyword" + }, + { + "description": "OS name (e.g. Mac OS X).\n", + "name": "name", + "type": "keyword" + }, + { + "description": "OS family (e.g. redhat, debian, freebsd, windows).\n", + "name": "family", + "type": "keyword" + }, + { + "description": "OS version.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "The operating system's kernel version.\n", + "name": "kernel", + "type": "keyword" + } + ], + "name": "os", + "type": "group" + } + ], + "name": "host", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "package": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`package` contains information about an installed or removed package.\n", + "fields": [ + { + "description": "ID uniquely identifying the package. It is computed as a SHA-256 hash of the\n host ID, package name, and package version.\n", + "name": "entity_id", + "type": "keyword" + }, + { + "description": "Package name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Package version.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Package release.\n", + "name": "release", + "type": "keyword" + }, + { + "description": "Package architecture.\n", + "name": "arch", + "type": "keyword" + }, + { + "description": "Package license.\n", + "name": "license", + "type": "keyword" + }, + { + "description": "Package install time.\n", + "name": "installtime", + "type": "date" + }, + { + "description": "Package size.\n", + "name": "size", + "type": "long" + }, + { + "description": "Package summary.\n", + "name": "summary" + }, + { + "description": "Package URL.\n", + "name": "url", + "type": "keyword" + } + ], + "name": "package", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "user": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`user` contains information about the users on a system.\n", + "fields": [ + { + "description": "User name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "User ID.\n", + "name": "uid", + "type": "keyword" + }, + { + "description": "Group ID.\n", + "name": "gid", + "type": "keyword" + }, + { + "description": "User's home directory.\n", + "name": "dir", + "type": "keyword" + }, + { + "description": "Program to run at login.\n", + "name": "shell", + "type": "keyword" + }, + { + "description": "General user information. On Linux, this is the gecos field.\n", + "name": "user_information", + "type": "keyword" + }, + { + "description": "`group` contains information about any groups the user is part of (beyond the user's primary group).\n", + "fields": [ + { + "description": "Group name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Group ID.\n", + "name": "gid", + "type": "integer" + } + ], + "name": "group", + "type": "object" + }, + { + "description": "`password` contains information about a user's password (not the password itself).\n", + "fields": [ + { + "description": "A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The day the user's password was last changed.\n", + "name": "last_changed", + "type": "date" + } + ], + "name": "password", + "type": "group" + } + ], + "name": "user", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + } + } + } + } + }, + "filebeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "Contains log file lines.\n", + "fields": [ + { + "description": "The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.\n", + "name": "log.file.path", + "required": false, + "type": "keyword" + }, + { + "description": "Source address from which the log event was read / sent from.\n", + "name": "log.source.address", + "required": false, + "type": "keyword" + }, + { + "description": "The file offset the reported line starts at.\n", + "name": "log.offset", + "required": false, + "type": "long" + }, + { + "description": "Log stream when reading container logs, can be 'stdout' or 'stderr'\n", + "name": "stream", + "required": false, + "type": "keyword" + }, + { + "description": "The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.\n", + "name": "input.type", + "required": true + }, + { + "description": "The facility extracted from the priority.\n", + "name": "syslog.facility", + "required": false, + "type": "long" + }, + { + "description": "The priority of the syslog event.\n", + "name": "syslog.priority", + "required": false, + "type": "long" + }, + { + "description": "The human readable severity.\n", + "name": "syslog.severity_label", + "required": false, + "type": "keyword" + }, + { + "description": "The human readable facility.\n", + "name": "syslog.facility_label", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the program.\n", + "name": "process.program", + "required": false, + "type": "keyword" + }, + { + "description": "This field contains the flags of the event.\n", + "name": "log.flags" + }, + { + "migration": true, + "name": "http.response.content_length", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "fields": [ + { + "fields": [ + { + "name": "full_name", + "type": "keyword" + } + ], + "name": "os", + "type": "group" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "description": "The Filebeat fileset that generated this event.\n", + "name": "fileset.name", + "type": "keyword" + }, + { + "migration": true, + "name": "fileset.module", + "path": "event.module", + "type": "alias" + }, + { + "migration": true, + "name": "read_timestamp", + "path": "event.created", + "type": "alias" + }, + { + "description": "docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options.\n", + "name": "docker.attrs", + "object_type": "keyword", + "type": "object" + }, + { + "description": "ICMP code.\n", + "name": "icmp.code", + "type": "keyword" + }, + { + "description": "ICMP type.\n", + "name": "icmp.type", + "type": "keyword" + }, + { + "description": "IGMP type.\n", + "name": "igmp.type", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Name of the eventhub.\n", + "name": "eventhub", + "type": "keyword" + }, + { + "description": "The offset.\n", + "name": "offset", + "type": "long" + }, + { + "description": "The enqueued time.\n", + "name": "enqueued_time", + "type": "date" + }, + { + "description": "The partition id.\n", + "name": "partition_id", + "type": "long" + }, + { + "description": "The consumer group.\n", + "name": "consumer_group", + "type": "keyword" + }, + { + "description": "The sequence number.\n", + "name": "sequence_number", + "type": "long" + } + ], + "name": "azure", + "type": "group" + }, + { + "fields": [ + { + "description": "Kafka topic\n", + "name": "topic", + "type": "keyword" + }, + { + "description": "Kafka partition number\n", + "name": "partition", + "type": "long" + }, + { + "description": "Kafka offset of this message\n", + "name": "offset", + "type": "long" + }, + { + "description": "Kafka key, corresponding to the Kafka value stored in the message\n", + "name": "key", + "type": "keyword" + }, + { + "description": "Kafka outer (compressed) block timestamp\n", + "name": "block_timestamp", + "type": "date" + }, + { + "description": "An array of Kafka header strings for this message, in the form \": \".\n", + "name": "headers", + "type": "array" + } + ], + "name": "kafka", + "type": "group" + } + ], + "key": "log", + "title": "Log file content" + } + ] + }, + "folders": { + "test": { + "folders": { + "module": { + "folders": { + "foo": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "foo", + "multi": { + "enabled": true + }, + "multibad": { + "enabled": true + } + } + ] + } + } + } + } + } + } + } + } + } + }, + "input": { + "folders": { + "awscloudwatch": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from AWS CloudWatch logs.\n", + "fields": [ + { + "default_field": false, + "description": "Fields from AWS CloudWatch logs.\n", + "fields": [ + { + "description": "The name of the log group to which this event belongs.", + "name": "log_group", + "type": "keyword" + }, + { + "description": "The name of the log stream to which this event belongs.", + "name": "log_stream", + "type": "keyword" + }, + { + "description": "The time the event was ingested in AWS CloudWatch.", + "name": "ingestion_time", + "type": "keyword" + } + ], + "name": "awscloudwatch", + "type": "group" + } + ], + "key": "awscloudwatch", + "title": "awscloudwatch" + } + ] + } + } + } + }, + "netflow": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from NetFlow and IPFIX flows.\n", + "fields": [ + { + "description": "Fields from NetFlow and IPFIX.\n", + "fields": [ + { + "description": "The type of NetFlow record described by this event.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Metadata related to the exporter device that generated this record.\n", + "fields": [ + { + "description": "Exporter's network address in IP:port format.\n", + "name": "address", + "type": "keyword" + }, + { + "description": "Observation domain ID to which this record belongs.\n", + "name": "source_id", + "type": "long" + }, + { + "description": "Time and date of export.\n", + "name": "timestamp", + "type": "date" + }, + { + "description": "How long the exporter process has been running, in milliseconds.\n", + "name": "uptime_millis", + "type": "long" + }, + { + "description": "NetFlow version used.\n", + "name": "version", + "type": "integer" + } + ], + "name": "exporter", + "type": "group" + }, + { + "name": "octet_delta_count", + "type": "long" + }, + { + "name": "packet_delta_count", + "type": "long" + }, + { + "name": "delta_flow_count", + "type": "long" + }, + { + "name": "protocol_identifier", + "type": "short" + }, + { + "name": "ip_class_of_service", + "type": "short" + }, + { + "name": "tcp_control_bits", + "type": "integer" + }, + { + "name": "source_transport_port", + "type": "integer" + }, + { + "name": "source_ipv4_address", + "type": "ip" + }, + { + "name": "source_ipv4_prefix_length", + "type": "short" + }, + { + "name": "ingress_interface", + "type": "long" + }, + { + "name": "destination_transport_port", + "type": "integer" + }, + { + "name": "destination_ipv4_address", + "type": "ip" + }, + { + "name": "destination_ipv4_prefix_length", + "type": "short" + }, + { + "name": "egress_interface", + "type": "long" + }, + { + "name": "ip_next_hop_ipv4_address", + "type": "ip" + }, + { + "name": "bgp_source_as_number", + "type": "long" + }, + { + "name": "bgp_destination_as_number", + "type": "long" + }, + { + "name": "bgp_next_hop_ipv4_address", + "type": "ip" + }, + { + "name": "post_mcast_packet_delta_count", + "type": "long" + }, + { + "name": "post_mcast_octet_delta_count", + "type": "long" + }, + { + "name": "flow_end_sys_up_time", + "type": "long" + }, + { + "name": "flow_start_sys_up_time", + "type": "long" + }, + { + "name": "post_octet_delta_count", + "type": "long" + }, + { + "name": "post_packet_delta_count", + "type": "long" + }, + { + "name": "minimum_ip_total_length", + "type": "long" + }, + { + "name": "maximum_ip_total_length", + "type": "long" + }, + { + "name": "source_ipv6_address", + "type": "ip" + }, + { + "name": "destination_ipv6_address", + "type": "ip" + }, + { + "name": "source_ipv6_prefix_length", + "type": "short" + }, + { + "name": "destination_ipv6_prefix_length", + "type": "short" + }, + { + "name": "flow_label_ipv6", + "type": "long" + }, + { + "name": "icmp_type_code_ipv4", + "type": "integer" + }, + { + "name": "igmp_type", + "type": "short" + }, + { + "name": "sampling_interval", + "type": "long" + }, + { + "name": "sampling_algorithm", + "type": "short" + }, + { + "name": "flow_active_timeout", + "type": "integer" + }, + { + "name": "flow_idle_timeout", + "type": "integer" + }, + { + "name": "engine_type", + "type": "short" + }, + { + "name": "engine_id", + "type": "short" + }, + { + "name": "exported_octet_total_count", + "type": "long" + }, + { + "name": "exported_message_total_count", + "type": "long" + }, + { + "name": "exported_flow_record_total_count", + "type": "long" + }, + { + "name": "ipv4_router_sc", + "type": "ip" + }, + { + "name": "source_ipv4_prefix", + "type": "ip" + }, + { + "name": "destination_ipv4_prefix", + "type": "ip" + }, + { + "name": "mpls_top_label_type", + "type": "short" + }, + { + "name": "mpls_top_label_ipv4_address", + "type": "ip" + }, + { + "name": "sampler_id", + "type": "short" + }, + { + "name": "sampler_mode", + "type": "short" + }, + { + "name": "sampler_random_interval", + "type": "long" + }, + { + "name": "class_id", + "type": "long" + }, + { + "name": "minimum_ttl", + "type": "short" + }, + { + "name": "maximum_ttl", + "type": "short" + }, + { + "name": "fragment_identification", + "type": "long" + }, + { + "name": "post_ip_class_of_service", + "type": "short" + }, + { + "name": "source_mac_address", + "type": "keyword" + }, + { + "name": "post_destination_mac_address", + "type": "keyword" + }, + { + "name": "vlan_id", + "type": "integer" + }, + { + "name": "post_vlan_id", + "type": "integer" + }, + { + "name": "ip_version", + "type": "short" + }, + { + "name": "flow_direction", + "type": "short" + }, + { + "name": "ip_next_hop_ipv6_address", + "type": "ip" + }, + { + "name": "bgp_next_hop_ipv6_address", + "type": "ip" + }, + { + "name": "ipv6_extension_headers", + "type": "long" + }, + { + "name": "mpls_top_label_stack_section", + "type": "short" + }, + { + "name": "mpls_label_stack_section2", + "type": "short" + }, + { + "name": "mpls_label_stack_section3", + "type": "short" + }, + { + "name": "mpls_label_stack_section4", + "type": "short" + }, + { + "name": "mpls_label_stack_section5", + "type": "short" + }, + { + "name": "mpls_label_stack_section6", + "type": "short" + }, + { + "name": "mpls_label_stack_section7", + "type": "short" + }, + { + "name": "mpls_label_stack_section8", + "type": "short" + }, + { + "name": "mpls_label_stack_section9", + "type": "short" + }, + { + "name": "mpls_label_stack_section10", + "type": "short" + }, + { + "name": "destination_mac_address", + "type": "keyword" + }, + { + "name": "post_source_mac_address", + "type": "keyword" + }, + { + "name": "interface_name", + "type": "keyword" + }, + { + "name": "interface_description", + "type": "keyword" + }, + { + "name": "sampler_name", + "type": "keyword" + }, + { + "name": "octet_total_count", + "type": "long" + }, + { + "name": "packet_total_count", + "type": "long" + }, + { + "name": "flags_and_sampler_id", + "type": "long" + }, + { + "name": "fragment_offset", + "type": "integer" + }, + { + "name": "forwarding_status", + "type": "short" + }, + { + "name": "mpls_vpn_route_distinguisher", + "type": "short" + }, + { + "name": "mpls_top_label_prefix_length", + "type": "short" + }, + { + "name": "src_traffic_index", + "type": "long" + }, + { + "name": "dst_traffic_index", + "type": "long" + }, + { + "name": "application_description", + "type": "keyword" + }, + { + "name": "application_id", + "type": "short" + }, + { + "name": "application_name", + "type": "keyword" + }, + { + "name": "post_ip_diff_serv_code_point", + "type": "short" + }, + { + "name": "multicast_replication_factor", + "type": "long" + }, + { + "name": "class_name", + "type": "keyword" + }, + { + "name": "classification_engine_id", + "type": "short" + }, + { + "name": "layer2packet_section_offset", + "type": "integer" + }, + { + "name": "layer2packet_section_size", + "type": "integer" + }, + { + "name": "layer2packet_section_data", + "type": "short" + }, + { + "name": "bgp_next_adjacent_as_number", + "type": "long" + }, + { + "name": "bgp_prev_adjacent_as_number", + "type": "long" + }, + { + "name": "exporter_ipv4_address", + "type": "ip" + }, + { + "name": "exporter_ipv6_address", + "type": "ip" + }, + { + "name": "dropped_octet_delta_count", + "type": "long" + }, + { + "name": "dropped_packet_delta_count", + "type": "long" + }, + { + "name": "dropped_octet_total_count", + "type": "long" + }, + { + "name": "dropped_packet_total_count", + "type": "long" + }, + { + "name": "flow_end_reason", + "type": "short" + }, + { + "name": "common_properties_id", + "type": "long" + }, + { + "name": "observation_point_id", + "type": "long" + }, + { + "name": "icmp_type_code_ipv6", + "type": "integer" + }, + { + "name": "mpls_top_label_ipv6_address", + "type": "ip" + }, + { + "name": "line_card_id", + "type": "long" + }, + { + "name": "port_id", + "type": "long" + }, + { + "name": "metering_process_id", + "type": "long" + }, + { + "name": "exporting_process_id", + "type": "long" + }, + { + "name": "template_id", + "type": "integer" + }, + { + "name": "wlan_channel_id", + "type": "short" + }, + { + "name": "wlan_ssid", + "type": "keyword" + }, + { + "name": "flow_id", + "type": "long" + }, + { + "name": "observation_domain_id", + "type": "long" + }, + { + "name": "flow_start_seconds", + "type": "date" + }, + { + "name": "flow_end_seconds", + "type": "date" + }, + { + "name": "flow_start_milliseconds", + "type": "date" + }, + { + "name": "flow_end_milliseconds", + "type": "date" + }, + { + "name": "flow_start_microseconds", + "type": "date" + }, + { + "name": "flow_end_microseconds", + "type": "date" + }, + { + "name": "flow_start_nanoseconds", + "type": "date" + }, + { + "name": "flow_end_nanoseconds", + "type": "date" + }, + { + "name": "flow_start_delta_microseconds", + "type": "long" + }, + { + "name": "flow_end_delta_microseconds", + "type": "long" + }, + { + "name": "system_init_time_milliseconds", + "type": "date" + }, + { + "name": "flow_duration_milliseconds", + "type": "long" + }, + { + "name": "flow_duration_microseconds", + "type": "long" + }, + { + "name": "observed_flow_total_count", + "type": "long" + }, + { + "name": "ignored_packet_total_count", + "type": "long" + }, + { + "name": "ignored_octet_total_count", + "type": "long" + }, + { + "name": "not_sent_flow_total_count", + "type": "long" + }, + { + "name": "not_sent_packet_total_count", + "type": "long" + }, + { + "name": "not_sent_octet_total_count", + "type": "long" + }, + { + "name": "destination_ipv6_prefix", + "type": "ip" + }, + { + "name": "source_ipv6_prefix", + "type": "ip" + }, + { + "name": "post_octet_total_count", + "type": "long" + }, + { + "name": "post_packet_total_count", + "type": "long" + }, + { + "name": "flow_key_indicator", + "type": "long" + }, + { + "name": "post_mcast_packet_total_count", + "type": "long" + }, + { + "name": "post_mcast_octet_total_count", + "type": "long" + }, + { + "name": "icmp_type_ipv4", + "type": "short" + }, + { + "name": "icmp_code_ipv4", + "type": "short" + }, + { + "name": "icmp_type_ipv6", + "type": "short" + }, + { + "name": "icmp_code_ipv6", + "type": "short" + }, + { + "name": "udp_source_port", + "type": "integer" + }, + { + "name": "udp_destination_port", + "type": "integer" + }, + { + "name": "tcp_source_port", + "type": "integer" + }, + { + "name": "tcp_destination_port", + "type": "integer" + }, + { + "name": "tcp_sequence_number", + "type": "long" + }, + { + "name": "tcp_acknowledgement_number", + "type": "long" + }, + { + "name": "tcp_window_size", + "type": "integer" + }, + { + "name": "tcp_urgent_pointer", + "type": "integer" + }, + { + "name": "tcp_header_length", + "type": "short" + }, + { + "name": "ip_header_length", + "type": "short" + }, + { + "name": "total_length_ipv4", + "type": "integer" + }, + { + "name": "payload_length_ipv6", + "type": "integer" + }, + { + "name": "ip_ttl", + "type": "short" + }, + { + "name": "next_header_ipv6", + "type": "short" + }, + { + "name": "mpls_payload_length", + "type": "long" + }, + { + "name": "ip_diff_serv_code_point", + "type": "short" + }, + { + "name": "ip_precedence", + "type": "short" + }, + { + "name": "fragment_flags", + "type": "short" + }, + { + "name": "octet_delta_sum_of_squares", + "type": "long" + }, + { + "name": "octet_total_sum_of_squares", + "type": "long" + }, + { + "name": "mpls_top_label_ttl", + "type": "short" + }, + { + "name": "mpls_label_stack_length", + "type": "long" + }, + { + "name": "mpls_label_stack_depth", + "type": "long" + }, + { + "name": "mpls_top_label_exp", + "type": "short" + }, + { + "name": "ip_payload_length", + "type": "long" + }, + { + "name": "udp_message_length", + "type": "integer" + }, + { + "name": "is_multicast", + "type": "short" + }, + { + "name": "ipv4_ihl", + "type": "short" + }, + { + "name": "ipv4_options", + "type": "long" + }, + { + "name": "tcp_options", + "type": "long" + }, + { + "name": "padding_octets", + "type": "short" + }, + { + "name": "collector_ipv4_address", + "type": "ip" + }, + { + "name": "collector_ipv6_address", + "type": "ip" + }, + { + "name": "export_interface", + "type": "long" + }, + { + "name": "export_protocol_version", + "type": "short" + }, + { + "name": "export_transport_protocol", + "type": "short" + }, + { + "name": "collector_transport_port", + "type": "integer" + }, + { + "name": "exporter_transport_port", + "type": "integer" + }, + { + "name": "tcp_syn_total_count", + "type": "long" + }, + { + "name": "tcp_fin_total_count", + "type": "long" + }, + { + "name": "tcp_rst_total_count", + "type": "long" + }, + { + "name": "tcp_psh_total_count", + "type": "long" + }, + { + "name": "tcp_ack_total_count", + "type": "long" + }, + { + "name": "tcp_urg_total_count", + "type": "long" + }, + { + "name": "ip_total_length", + "type": "long" + }, + { + "name": "post_nat_source_ipv4_address", + "type": "ip" + }, + { + "name": "post_nat_destination_ipv4_address", + "type": "ip" + }, + { + "name": "post_napt_source_transport_port", + "type": "integer" + }, + { + "name": "post_napt_destination_transport_port", + "type": "integer" + }, + { + "name": "nat_originating_address_realm", + "type": "short" + }, + { + "name": "nat_event", + "type": "short" + }, + { + "name": "initiator_octets", + "type": "long" + }, + { + "name": "responder_octets", + "type": "long" + }, + { + "name": "firewall_event", + "type": "short" + }, + { + "name": "ingress_vrfid", + "type": "long" + }, + { + "name": "egress_vrfid", + "type": "long" + }, + { + "name": "vr_fname", + "type": "keyword" + }, + { + "name": "post_mpls_top_label_exp", + "type": "short" + }, + { + "name": "tcp_window_scale", + "type": "integer" + }, + { + "name": "biflow_direction", + "type": "short" + }, + { + "name": "ethernet_header_length", + "type": "short" + }, + { + "name": "ethernet_payload_length", + "type": "integer" + }, + { + "name": "ethernet_total_length", + "type": "integer" + }, + { + "name": "dot1q_vlan_id", + "type": "integer" + }, + { + "name": "dot1q_priority", + "type": "short" + }, + { + "name": "dot1q_customer_vlan_id", + "type": "integer" + }, + { + "name": "dot1q_customer_priority", + "type": "short" + }, + { + "name": "metro_evc_id", + "type": "keyword" + }, + { + "name": "metro_evc_type", + "type": "short" + }, + { + "name": "pseudo_wire_id", + "type": "long" + }, + { + "name": "pseudo_wire_type", + "type": "integer" + }, + { + "name": "pseudo_wire_control_word", + "type": "long" + }, + { + "name": "ingress_physical_interface", + "type": "long" + }, + { + "name": "egress_physical_interface", + "type": "long" + }, + { + "name": "post_dot1q_vlan_id", + "type": "integer" + }, + { + "name": "post_dot1q_customer_vlan_id", + "type": "integer" + }, + { + "name": "ethernet_type", + "type": "integer" + }, + { + "name": "post_ip_precedence", + "type": "short" + }, + { + "name": "collection_time_milliseconds", + "type": "date" + }, + { + "name": "export_sctp_stream_id", + "type": "integer" + }, + { + "name": "max_export_seconds", + "type": "date" + }, + { + "name": "max_flow_end_seconds", + "type": "date" + }, + { + "name": "message_md5_checksum", + "type": "short" + }, + { + "name": "message_scope", + "type": "short" + }, + { + "name": "min_export_seconds", + "type": "date" + }, + { + "name": "min_flow_start_seconds", + "type": "date" + }, + { + "name": "opaque_octets", + "type": "short" + }, + { + "name": "session_scope", + "type": "short" + }, + { + "name": "max_flow_end_microseconds", + "type": "date" + }, + { + "name": "max_flow_end_milliseconds", + "type": "date" + }, + { + "name": "max_flow_end_nanoseconds", + "type": "date" + }, + { + "name": "min_flow_start_microseconds", + "type": "date" + }, + { + "name": "min_flow_start_milliseconds", + "type": "date" + }, + { + "name": "min_flow_start_nanoseconds", + "type": "date" + }, + { + "name": "collector_certificate", + "type": "short" + }, + { + "name": "exporter_certificate", + "type": "short" + }, + { + "name": "data_records_reliability", + "type": "boolean" + }, + { + "name": "observation_point_type", + "type": "short" + }, + { + "name": "new_connection_delta_count", + "type": "long" + }, + { + "name": "connection_sum_duration_seconds", + "type": "long" + }, + { + "name": "connection_transaction_id", + "type": "long" + }, + { + "name": "post_nat_source_ipv6_address", + "type": "ip" + }, + { + "name": "post_nat_destination_ipv6_address", + "type": "ip" + }, + { + "name": "nat_pool_id", + "type": "long" + }, + { + "name": "nat_pool_name", + "type": "keyword" + }, + { + "name": "anonymization_flags", + "type": "integer" + }, + { + "name": "anonymization_technique", + "type": "integer" + }, + { + "name": "information_element_index", + "type": "integer" + }, + { + "name": "p2p_technology", + "type": "keyword" + }, + { + "name": "tunnel_technology", + "type": "keyword" + }, + { + "name": "encrypted_technology", + "type": "keyword" + }, + { + "name": "bgp_validity_state", + "type": "short" + }, + { + "name": "ip_sec_spi", + "type": "long" + }, + { + "name": "gre_key", + "type": "long" + }, + { + "name": "nat_type", + "type": "short" + }, + { + "name": "initiator_packets", + "type": "long" + }, + { + "name": "responder_packets", + "type": "long" + }, + { + "name": "observation_domain_name", + "type": "keyword" + }, + { + "name": "selection_sequence_id", + "type": "long" + }, + { + "name": "selector_id", + "type": "long" + }, + { + "name": "information_element_id", + "type": "integer" + }, + { + "name": "selector_algorithm", + "type": "integer" + }, + { + "name": "sampling_packet_interval", + "type": "long" + }, + { + "name": "sampling_packet_space", + "type": "long" + }, + { + "name": "sampling_time_interval", + "type": "long" + }, + { + "name": "sampling_time_space", + "type": "long" + }, + { + "name": "sampling_size", + "type": "long" + }, + { + "name": "sampling_population", + "type": "long" + }, + { + "name": "sampling_probability", + "type": "double" + }, + { + "name": "data_link_frame_size", + "type": "integer" + }, + { + "name": "ip_header_packet_section", + "type": "short" + }, + { + "name": "ip_payload_packet_section", + "type": "short" + }, + { + "name": "data_link_frame_section", + "type": "short" + }, + { + "name": "mpls_label_stack_section", + "type": "short" + }, + { + "name": "mpls_payload_packet_section", + "type": "short" + }, + { + "name": "selector_id_total_pkts_observed", + "type": "long" + }, + { + "name": "selector_id_total_pkts_selected", + "type": "long" + }, + { + "name": "absolute_error", + "type": "double" + }, + { + "name": "relative_error", + "type": "double" + }, + { + "name": "observation_time_seconds", + "type": "date" + }, + { + "name": "observation_time_milliseconds", + "type": "date" + }, + { + "name": "observation_time_microseconds", + "type": "date" + }, + { + "name": "observation_time_nanoseconds", + "type": "date" + }, + { + "name": "digest_hash_value", + "type": "long" + }, + { + "name": "hash_ip_payload_offset", + "type": "long" + }, + { + "name": "hash_ip_payload_size", + "type": "long" + }, + { + "name": "hash_output_range_min", + "type": "long" + }, + { + "name": "hash_output_range_max", + "type": "long" + }, + { + "name": "hash_selected_range_min", + "type": "long" + }, + { + "name": "hash_selected_range_max", + "type": "long" + }, + { + "name": "hash_digest_output", + "type": "boolean" + }, + { + "name": "hash_initialiser_value", + "type": "long" + }, + { + "name": "selector_name", + "type": "keyword" + }, + { + "name": "upper_ci_limit", + "type": "double" + }, + { + "name": "lower_ci_limit", + "type": "double" + }, + { + "name": "confidence_level", + "type": "double" + }, + { + "name": "information_element_data_type", + "type": "short" + }, + { + "name": "information_element_description", + "type": "keyword" + }, + { + "name": "information_element_name", + "type": "keyword" + }, + { + "name": "information_element_range_begin", + "type": "long" + }, + { + "name": "information_element_range_end", + "type": "long" + }, + { + "name": "information_element_semantics", + "type": "short" + }, + { + "name": "information_element_units", + "type": "integer" + }, + { + "name": "private_enterprise_number", + "type": "long" + }, + { + "name": "virtual_station_interface_id", + "type": "short" + }, + { + "name": "virtual_station_interface_name", + "type": "keyword" + }, + { + "name": "virtual_station_uuid", + "type": "short" + }, + { + "name": "virtual_station_name", + "type": "keyword" + }, + { + "name": "layer2_segment_id", + "type": "long" + }, + { + "name": "layer2_octet_delta_count", + "type": "long" + }, + { + "name": "layer2_octet_total_count", + "type": "long" + }, + { + "name": "ingress_unicast_packet_total_count", + "type": "long" + }, + { + "name": "ingress_multicast_packet_total_count", + "type": "long" + }, + { + "name": "ingress_broadcast_packet_total_count", + "type": "long" + }, + { + "name": "egress_unicast_packet_total_count", + "type": "long" + }, + { + "name": "egress_broadcast_packet_total_count", + "type": "long" + }, + { + "name": "monitoring_interval_start_milli_seconds", + "type": "date" + }, + { + "name": "monitoring_interval_end_milli_seconds", + "type": "date" + }, + { + "name": "port_range_start", + "type": "integer" + }, + { + "name": "port_range_end", + "type": "integer" + }, + { + "name": "port_range_step_size", + "type": "integer" + }, + { + "name": "port_range_num_ports", + "type": "integer" + }, + { + "name": "sta_mac_address", + "type": "keyword" + }, + { + "name": "sta_ipv4_address", + "type": "ip" + }, + { + "name": "wtp_mac_address", + "type": "keyword" + }, + { + "name": "ingress_interface_type", + "type": "long" + }, + { + "name": "egress_interface_type", + "type": "long" + }, + { + "name": "rtp_sequence_number", + "type": "integer" + }, + { + "name": "user_name", + "type": "keyword" + }, + { + "name": "application_category_name", + "type": "keyword" + }, + { + "name": "application_sub_category_name", + "type": "keyword" + }, + { + "name": "application_group_name", + "type": "keyword" + }, + { + "name": "original_flows_present", + "type": "long" + }, + { + "name": "original_flows_initiated", + "type": "long" + }, + { + "name": "original_flows_completed", + "type": "long" + }, + { + "name": "distinct_count_of_source_ip_address", + "type": "long" + }, + { + "name": "distinct_count_of_destination_ip_address", + "type": "long" + }, + { + "name": "distinct_count_of_source_ipv4_address", + "type": "long" + }, + { + "name": "distinct_count_of_destination_ipv4_address", + "type": "long" + }, + { + "name": "distinct_count_of_source_ipv6_address", + "type": "long" + }, + { + "name": "distinct_count_of_destination_ipv6_address", + "type": "long" + }, + { + "name": "value_distribution_method", + "type": "short" + }, + { + "name": "rfc3550_jitter_milliseconds", + "type": "long" + }, + { + "name": "rfc3550_jitter_microseconds", + "type": "long" + }, + { + "name": "rfc3550_jitter_nanoseconds", + "type": "long" + }, + { + "name": "dot1q_dei", + "type": "boolean" + }, + { + "name": "dot1q_customer_dei", + "type": "boolean" + }, + { + "name": "flow_selector_algorithm", + "type": "integer" + }, + { + "name": "flow_selected_octet_delta_count", + "type": "long" + }, + { + "name": "flow_selected_packet_delta_count", + "type": "long" + }, + { + "name": "flow_selected_flow_delta_count", + "type": "long" + }, + { + "name": "selector_id_total_flows_observed", + "type": "long" + }, + { + "name": "selector_id_total_flows_selected", + "type": "long" + }, + { + "name": "sampling_flow_interval", + "type": "long" + }, + { + "name": "sampling_flow_spacing", + "type": "long" + }, + { + "name": "flow_sampling_time_interval", + "type": "long" + }, + { + "name": "flow_sampling_time_spacing", + "type": "long" + }, + { + "name": "hash_flow_domain", + "type": "integer" + }, + { + "name": "transport_octet_delta_count", + "type": "long" + }, + { + "name": "transport_packet_delta_count", + "type": "long" + }, + { + "name": "original_exporter_ipv4_address", + "type": "ip" + }, + { + "name": "original_exporter_ipv6_address", + "type": "ip" + }, + { + "name": "original_observation_domain_id", + "type": "long" + }, + { + "name": "intermediate_process_id", + "type": "long" + }, + { + "name": "ignored_data_record_total_count", + "type": "long" + }, + { + "name": "data_link_frame_type", + "type": "integer" + }, + { + "name": "section_offset", + "type": "integer" + }, + { + "name": "section_exported_octets", + "type": "integer" + }, + { + "name": "dot1q_service_instance_tag", + "type": "short" + }, + { + "name": "dot1q_service_instance_id", + "type": "long" + }, + { + "name": "dot1q_service_instance_priority", + "type": "short" + }, + { + "name": "dot1q_customer_source_mac_address", + "type": "keyword" + }, + { + "name": "dot1q_customer_destination_mac_address", + "type": "keyword" + }, + { + "name": "post_layer2_octet_delta_count", + "type": "long" + }, + { + "name": "post_mcast_layer2_octet_delta_count", + "type": "long" + }, + { + "name": "post_layer2_octet_total_count", + "type": "long" + }, + { + "name": "post_mcast_layer2_octet_total_count", + "type": "long" + }, + { + "name": "minimum_layer2_total_length", + "type": "long" + }, + { + "name": "maximum_layer2_total_length", + "type": "long" + }, + { + "name": "dropped_layer2_octet_delta_count", + "type": "long" + }, + { + "name": "dropped_layer2_octet_total_count", + "type": "long" + }, + { + "name": "ignored_layer2_octet_total_count", + "type": "long" + }, + { + "name": "not_sent_layer2_octet_total_count", + "type": "long" + }, + { + "name": "layer2_octet_delta_sum_of_squares", + "type": "long" + }, + { + "name": "layer2_octet_total_sum_of_squares", + "type": "long" + }, + { + "name": "layer2_frame_delta_count", + "type": "long" + }, + { + "name": "layer2_frame_total_count", + "type": "long" + }, + { + "name": "pseudo_wire_destination_ipv4_address", + "type": "ip" + }, + { + "name": "ignored_layer2_frame_total_count", + "type": "long" + }, + { + "name": "mib_object_value_integer", + "type": "integer" + }, + { + "name": "mib_object_value_octet_string", + "type": "short" + }, + { + "name": "mib_object_value_oid", + "type": "short" + }, + { + "name": "mib_object_value_bits", + "type": "short" + }, + { + "name": "mib_object_value_ip_address", + "type": "ip" + }, + { + "name": "mib_object_value_counter", + "type": "long" + }, + { + "name": "mib_object_value_gauge", + "type": "long" + }, + { + "name": "mib_object_value_time_ticks", + "type": "long" + }, + { + "name": "mib_object_value_unsigned", + "type": "long" + }, + { + "name": "mib_object_identifier", + "type": "short" + }, + { + "name": "mib_sub_identifier", + "type": "long" + }, + { + "name": "mib_index_indicator", + "type": "long" + }, + { + "name": "mib_capture_time_semantics", + "type": "short" + }, + { + "name": "mib_context_engine_id", + "type": "short" + }, + { + "name": "mib_context_name", + "type": "keyword" + }, + { + "name": "mib_object_name", + "type": "keyword" + }, + { + "name": "mib_object_description", + "type": "keyword" + }, + { + "name": "mib_object_syntax", + "type": "keyword" + }, + { + "name": "mib_module_name", + "type": "keyword" + }, + { + "name": "mobile_imsi", + "type": "keyword" + }, + { + "name": "mobile_msisdn", + "type": "keyword" + }, + { + "name": "http_status_code", + "type": "integer" + }, + { + "name": "source_transport_ports_limit", + "type": "integer" + }, + { + "name": "http_request_method", + "type": "keyword" + }, + { + "name": "http_request_host", + "type": "keyword" + }, + { + "name": "http_request_target", + "type": "keyword" + }, + { + "name": "http_message_version", + "type": "keyword" + }, + { + "name": "nat_instance_id", + "type": "long" + }, + { + "name": "internal_address_realm", + "type": "short" + }, + { + "name": "external_address_realm", + "type": "short" + }, + { + "name": "nat_quota_exceeded_event", + "type": "long" + }, + { + "name": "nat_threshold_event", + "type": "long" + }, + { + "name": "http_user_agent", + "type": "keyword" + }, + { + "name": "http_content_type", + "type": "keyword" + }, + { + "name": "http_reason_phrase", + "type": "keyword" + }, + { + "name": "max_session_entries", + "type": "long" + }, + { + "name": "max_bib_entries", + "type": "long" + }, + { + "name": "max_entries_per_user", + "type": "long" + }, + { + "name": "max_subscribers", + "type": "long" + }, + { + "name": "max_fragments_pending_reassembly", + "type": "long" + }, + { + "name": "address_pool_high_threshold", + "type": "long" + }, + { + "name": "address_pool_low_threshold", + "type": "long" + }, + { + "name": "address_port_mapping_high_threshold", + "type": "long" + }, + { + "name": "address_port_mapping_low_threshold", + "type": "long" + }, + { + "name": "address_port_mapping_per_user_high_threshold", + "type": "long" + }, + { + "name": "global_address_mapping_high_threshold", + "type": "long" + }, + { + "name": "vpn_identifier", + "type": "short" + } + ], + "name": "netflow", + "type": "group" + } + ], + "key": "netflow", + "title": "NetFlow" + } + ] + } + } + } + }, + "s3": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "S3 fields from s3 input.\n", + "fields": [ + { + "description": "Name of the S3 bucket that this log retrieved from.\n", + "name": "bucket_name", + "type": "keyword" + }, + { + "description": "Name of the S3 object that this log retrieved from.\n", + "name": "object_key", + "type": "keyword" + } + ], + "key": "s3", + "release": "beta", + "title": "s3" + } + ] + } + } + } + } + } + }, + "module": { + "folders": { + "activemq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "audit": { + "enabled": true + }, + "log": { + "enabled": true + }, + "module": "activemq" + } + ], + "fields.yml": [ + { + "description": "Module for parsing ActiveMQ log files.\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Name of the caller issuing the logging request (class or resource).\n", + "name": "caller", + "type": "keyword" + }, + { + "description": "Thread that generated the logging event.\n", + "name": "thread", + "type": "keyword" + }, + { + "description": "User that generated the logging event.\n", + "name": "user", + "type": "keyword" + } + ], + "name": "activemq", + "type": "group" + } + ], + "key": "activemq", + "release": "ga", + "title": "ActiveMQ" + } + ] + } + }, + "audit": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from ActiveMQ audit logs.\n", + "fields": null, + "name": "audit", + "type": "group" + } + ] + } + } + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from ActiveMQ application logs.\n", + "fields": [ + { + "name": "stack_trace", + "type": "keyword" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "apache": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "access": { + "enabled": true + }, + "error": { + "enabled": true + }, + "module": "apache" + } + ], + "fields.yml": [ + { + "description": "Apache Module\n", + "fields": [ + { + "description": "Aliases for backward compatibility with old apache2 fields\n", + "fields": [ + { + "fields": [ + { + "migration": true, + "name": "remote_ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "ssl.protocol", + "path": "apache.access.ssl.protocol", + "type": "alias" + }, + { + "migration": true, + "name": "ssl.cipher", + "path": "apache.access.ssl.cipher", + "type": "alias" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "migration": true, + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "migration": true, + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "migration": true, + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "migration": true, + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "access", + "type": "group" + }, + { + "fields": [ + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "tid", + "path": "process.thread.id", + "type": "alias" + }, + { + "migration": true, + "name": "module", + "path": "apache.error.module", + "type": "alias" + } + ], + "name": "error", + "type": "group" + } + ], + "name": "apache2", + "type": "group" + }, + { + "description": "Apache fields.\n", + "fields": null, + "name": "apache", + "type": "group" + } + ], + "key": "apache", + "short_config": true, + "title": "Apache" + } + ] + } + }, + "access": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Apache HTTP Server access logs.\n", + "fields": [ + { + "description": "SSL protocol version.\n", + "name": "ssl.protocol", + "type": "keyword" + }, + { + "description": "SSL cipher name.\n", + "name": "ssl.cipher", + "type": "keyword" + } + ], + "name": "access", + "type": "group" + } + ] + } + } + } + }, + "error": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from the Apache error logs.\n", + "fields": [ + { + "description": "The module producing the logged message.\n", + "name": "module", + "type": "keyword" + } + ], + "name": "error", + "type": "group" + } + ] + } + } + } + } + } + }, + "auditd": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "auditd" + } + ], + "fields.yml": [ + { + "description": "Module for parsing auditd logs.\n", + "fields": [ + { + "fields": [ + { + "description": "Terminal or tty device on which the user is performing the observed activity.\n", + "name": "terminal", + "type": "keyword" + }, + { + "fields": [ + { + "description": "One or multiple unique identifiers of the user.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Short name or login of the user.\n", + "example": "albert", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique identifier for the group on the system/platform.\n", + "name": "group.id", + "type": "keyword" + }, + { + "description": "Name of the group.\n", + "name": "group.name", + "type": "keyword" + } + ], + "name": "audit", + "type": "group" + }, + { + "fields": [ + { + "description": "One or multiple unique identifiers of the user.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Short name or login of the user.\n", + "example": "albert", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique identifier for the group on the system/platform.\n", + "name": "group.id", + "type": "keyword" + }, + { + "description": "Name of the group.\n", + "name": "group.name", + "type": "keyword" + } + ], + "name": "effective", + "type": "group" + }, + { + "fields": [ + { + "description": "One or multiple unique identifiers of the user.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Short name or login of the user.\n", + "example": "albert", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique identifier for the group on the system/platform.\n", + "name": "group.id", + "type": "keyword" + }, + { + "description": "Name of the group.\n", + "name": "group.name", + "type": "keyword" + } + ], + "name": "filesystem", + "type": "group" + }, + { + "fields": [ + { + "description": "One or multiple unique identifiers of the user.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Short name or login of the user.\n", + "example": "albert", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique identifier for the group on the system/platform.\n", + "name": "group.id", + "type": "keyword" + }, + { + "description": "Name of the group.\n", + "name": "group.name", + "type": "keyword" + } + ], + "name": "owner", + "type": "group" + }, + { + "fields": [ + { + "description": "One or multiple unique identifiers of the user.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Short name or login of the user.\n", + "example": "albert", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique identifier for the group on the system/platform.\n", + "name": "group.id", + "type": "keyword" + }, + { + "description": "Name of the group.\n", + "name": "group.name", + "type": "keyword" + } + ], + "name": "saved", + "type": "group" + } + ], + "name": "user", + "type": "group" + }, + { + "description": "Fields from the auditd logs.\n", + "fields": null, + "name": "auditd", + "type": "group" + } + ], + "key": "auditd", + "short_config": true, + "title": "Auditd" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.\n", + "fields": [ + { + "description": "For login events this is the old audit ID used for the user prior to this login.\n", + "name": "old_auid" + }, + { + "description": "For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).\n", + "name": "new_auid" + }, + { + "description": "For login events this is the old session ID used for the user prior to this login.\n", + "name": "old_ses" + }, + { + "description": "For login events this is the new session ID. It can be used to tie a user to future events by session ID.\n", + "name": "new_ses" + }, + { + "description": "The audit event sequence number.\n", + "name": "sequence", + "type": "long" + }, + { + "description": "The number of items in an event.\n", + "name": "items" + }, + { + "description": "The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.\n", + "name": "item" + }, + { + "definition": "TTY udevice the user is running programs on.\n", + "name": "tty", + "type": "keyword" + }, + { + "description": "The first argument to the system call.\n", + "name": "a0" + }, + { + "definition": "Remote address that the user is connecting from.\n", + "name": "addr", + "type": "ip" + }, + { + "definition": "Remote port number.\n", + "name": "rport", + "type": "long" + }, + { + "definition": "Local network address.\n", + "name": "laddr", + "type": "ip" + }, + { + "definition": "Local port number.\n", + "name": "lport", + "type": "long" + }, + { + "migration": true, + "name": "acct", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "ppid", + "path": "process.ppid", + "type": "alias" + }, + { + "migration": true, + "name": "res", + "path": "event.outcome", + "type": "alias" + }, + { + "migration": true, + "name": "record_type", + "path": "event.action", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + }, + { + "migration": true, + "name": "arch", + "path": "host.architecture", + "type": "alias" + }, + { + "migration": true, + "name": "gid", + "path": "user.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "uid", + "path": "user.id", + "type": "alias" + }, + { + "migration": true, + "name": "agid", + "path": "user.audit.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "auid", + "path": "user.audit.id", + "type": "alias" + }, + { + "migration": true, + "name": "fsgid", + "path": "user.filesystem.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "fsuid", + "path": "user.filesystem.id", + "type": "alias" + }, + { + "migration": true, + "name": "egid", + "path": "user.effective.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "euid", + "path": "user.effective.id", + "type": "alias" + }, + { + "migration": true, + "name": "sgid", + "path": "user.saved.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "suid", + "path": "user.saved.id", + "type": "alias" + }, + { + "migration": true, + "name": "ogid", + "path": "user.owner.group.id", + "type": "alias" + }, + { + "migration": true, + "name": "ouid", + "path": "user.owner.id", + "type": "alias" + }, + { + "migration": true, + "name": "comm", + "path": "process.name", + "type": "alias" + }, + { + "migration": true, + "name": "exe", + "path": "process.executable", + "type": "alias" + }, + { + "migration": true, + "name": "terminal", + "path": "user.terminal", + "type": "alias" + }, + { + "migration": true, + "name": "msg", + "path": "message", + "type": "alias" + }, + { + "migration": true, + "name": "src", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "dst", + "path": "destination.address", + "type": "alias" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "aws": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "cloudtrail": { + "enabled": false + }, + "cloudwatch": { + "enabled": false + }, + "ec2": { + "enabled": false + }, + "elb": { + "enabled": false + }, + "module": "aws", + "s3access": { + "enabled": false + }, + "vpcflow": { + "enabled": false + } + } + ], + "fields.yml": [ + { + "description": "Module for handling logs from AWS.\n", + "fields": [ + { + "description": "Fields from AWS logs.\n", + "fields": null, + "name": "aws", + "type": "group" + } + ], + "key": "aws", + "release": "beta", + "title": "AWS" + } + ] + } + }, + "cloudtrail": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS CloudTrail logs.\n", + "fields": [ + { + "description": "The CloudTrail version of the log event format.\n", + "name": "event_version", + "type": "keyword" + }, + { + "description": "The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained.", + "fields": [ + { + "description": "The type of the identity\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The Amazon Resource Name (ARN) of the principal that made the call.", + "name": "arn", + "type": "keyword" + }, + { + "description": "The access key ID that was used to sign the request.", + "name": "access_key_id", + "type": "keyword" + }, + { + "description": "If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials", + "fields": [ + { + "description": "The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.", + "name": "mfa_authenticated", + "type": "keyword" + }, + { + "description": "The date and time when the temporary security credentials were issued.", + "name": "creation_date", + "type": "date" + }, + { + "description": "If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained.", + "fields": [ + { + "description": "The source of the temporary security credentials, such as Root, IAMUser, or Role.", + "name": "type", + "type": "keyword" + }, + { + "description": "The internal ID of the entity that was used to get credentials.", + "name": "principal_id", + "type": "keyword" + }, + { + "description": "The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.", + "name": "arn", + "type": "keyword" + }, + { + "description": "The account that owns the entity that was used to get credentials.", + "name": "account_id", + "type": "keyword" + } + ], + "name": "session_issuer", + "type": "group" + } + ], + "name": "session_context", + "type": "group" + }, + { + "description": "The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.", + "name": "invoked_by", + "type": "keyword" + } + ], + "name": "user_identity", + "type": "group" + }, + { + "description": "The AWS service error if the request returns an error.", + "name": "error_code", + "type": "keyword" + }, + { + "description": "If the request returns an error, the description of the error.", + "name": "error_message", + "type": "keyword" + }, + { + "description": "The parameters, if any, that were sent with the request.", + "multi_fields": [ + { + "default_field": false, + "name": "text", + "type": "text" + } + ], + "name": "request_parameters", + "type": "keyword" + }, + { + "description": "The response element for actions that make changes (create, update, or delete actions).", + "multi_fields": [ + { + "default_field": false, + "name": "text", + "type": "text" + } + ], + "name": "response_elements", + "type": "keyword" + }, + { + "description": "Additional data about the event that was not part of the request or response.", + "multi_fields": [ + { + "default_field": false, + "name": "text", + "type": "text" + } + ], + "name": "additional_eventdata", + "type": "keyword" + }, + { + "description": "The value that identifies the request. The service being called generates this value.", + "name": "request_id", + "type": "keyword" + }, + { + "description": "Identifies the type of event that generated the event record.", + "name": "event_type", + "type": "keyword" + }, + { + "description": "Identifies the API version associated with the AwsApiCall eventType value.", + "name": "api_version", + "type": "keyword" + }, + { + "description": "A Boolean value that identifies whether the event is a management event.", + "name": "management_event", + "type": "keyword" + }, + { + "description": "Identifies whether this operation is a read-only operation.", + "name": "read_only", + "type": "keyword" + }, + { + "description": "A list of resources accessed in the event.", + "fields": [ + { + "description": "Resource ARNs", + "name": "arn", + "type": "keyword" + }, + { + "description": "Account ID of the resource owner", + "name": "account_id", + "type": "keyword" + }, + { + "description": "Resource type identifier in the format: AWS::aws-service-name::data-type-name", + "name": "type", + "type": "keyword" + } + ], + "name": "resources", + "type": "group" + }, + { + "description": "Represents the account ID that received this event.", + "name": "recipient_account_id", + "type": "keyword" + }, + { + "description": "Identifies the service event, including what triggered the event and the result.", + "multi_fields": [ + { + "default_field": false, + "name": "text", + "type": "text" + } + ], + "name": "service_event_details", + "type": "keyword" + }, + { + "description": "GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.", + "name": "shared_event_id", + "type": "keyword" + }, + { + "description": "Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.", + "name": "vpc_endpoint_id", + "type": "keyword" + }, + { + "description": "Fields specific to ConsoleLogin events", + "fields": [ + { + "description": "Additional Event Data for ConsoleLogin events\n", + "fields": [ + { + "description": "Identifies whether ConsoleLogin was from mobile version", + "name": "mobile_version", + "type": "boolean" + }, + { + "description": "URL for ConsoleLogin", + "name": "login_to", + "type": "keyword" + }, + { + "description": "Identifies whether multi factor authentication was used during ConsoleLogin", + "name": "mfa_used", + "type": "boolean" + } + ], + "name": "additional_eventdata", + "type": "group" + } + ], + "name": "console_login", + "type": "group" + }, + { + "description": "ES flattened datatype for objects where the subfields aren't known in advance.", + "fields": [ + { + "description": "Additional data about the event that was not part of the request or response.\n", + "name": "additional_eventdata", + "type": "flattened" + }, + { + "description": "The parameters, if any, that were sent with the request.", + "name": "request_parameters", + "type": "flattened" + }, + { + "description": "The response element for actions that make changes (create, update, or delete actions).", + "name": "response_elements", + "type": "flattened" + }, + { + "description": "Identifies the service event, including what triggered the event and the result.", + "name": "service_event_details", + "type": "flattened" + } + ], + "name": "flattened", + "type": "group" + }, + { + "description": "Fields from Cloudtrail Digest Logs", + "fields": [ + { + "description": "A list of Logfiles contained in the digest.", + "name": "log_files", + "type": "nested" + }, + { + "description": "The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.", + "name": "start_time", + "type": "date" + }, + { + "description": "The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.", + "name": "end_time", + "type": "date" + }, + { + "description": "The name of the Amazon S3 bucket to which the current digest file has been delivered.", + "name": "s3_bucket", + "type": "keyword" + }, + { + "description": "The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file.", + "name": "s3_object", + "type": "keyword" + }, + { + "description": "The UTC time of the most recent event among all of the events in the log files in the digest.", + "name": "newest_event_time", + "type": "date" + }, + { + "description": "The UTC time of the oldest event among all of the events in the log files in the digest.", + "name": "oldest_event_time", + "type": "date" + }, + { + "description": "The Amazon S3 bucket to which the previous digest file was delivered.", + "name": "previous_s3_bucket", + "type": "keyword" + }, + { + "description": "The name of the hash algorithm that was used to hash the previous digest file.", + "name": "previous_hash_algorithm", + "type": "keyword" + }, + { + "description": "The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file.", + "name": "public_key_fingerprint", + "type": "keyword" + }, + { + "description": "The algorithm used to sign the digest file.", + "name": "signature_algorithm", + "type": "keyword" + } + ], + "name": "digest", + "type": "group" + }, + { + "description": "Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event.", + "name": "insight_details", + "type": "flattened" + } + ], + "name": "cloudtrail", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "cloudwatch": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS CloudWatch logs.\n", + "fields": [ + { + "description": "CloudWatch log message.\n", + "name": "message", + "type": "text" + } + ], + "name": "cloudwatch", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "ec2": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS EC2 logs in CloudWatch.\n", + "fields": [ + { + "description": "The internet address of the requester.\n", + "name": "ip_address", + "type": "keyword" + } + ], + "name": "ec2", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "elb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS ELB logs.\n", + "fields": [ + { + "description": "The name of the load balancer.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The type of the load balancer for v2 Load Balancers.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The ARN of the target group handling the request.\n", + "name": "target_group.arn", + "type": "keyword" + }, + { + "description": "The ELB listener that received the connection.\n", + "name": "listener", + "type": "keyword" + }, + { + "description": "The protocol of the load balancer (http or tcp).\n", + "name": "protocol", + "type": "keyword" + }, + { + "description": "The total time in seconds since the connection or request is received until it is sent to a registered backend.\n", + "name": "request_processing_time.sec", + "type": "float" + }, + { + "description": "The total time in seconds since the connection is sent to the backend till the backend starts responding.\n", + "name": "backend_processing_time.sec", + "type": "float" + }, + { + "description": "The total time in seconds since the response is received from the backend till it is sent to the client.\n", + "name": "response_processing_time.sec", + "type": "float" + }, + { + "description": "The total time of the connection in milliseconds, since it is opened till it is closed.\n", + "name": "connection_time.ms", + "type": "long" + }, + { + "description": "The total time for the TLS handshake to complete in milliseconds once the connection has been established.\n", + "name": "tls_handshake_time.ms", + "type": "long" + }, + { + "description": "The IP address of the backend processing this connection.\n", + "name": "backend.ip", + "type": "keyword" + }, + { + "description": "The port in the backend processing this connection.\n", + "name": "backend.port", + "type": "keyword" + }, + { + "description": "The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code`\n", + "name": "backend.http.response.status_code", + "type": "keyword" + }, + { + "description": "The SSL cipher used in TLS/SSL connections.\n", + "name": "ssl_cipher", + "type": "keyword" + }, + { + "description": "The SSL protocol used in TLS/SSL connections.\n", + "name": "ssl_protocol", + "type": "keyword" + }, + { + "description": "The ARN of the chosen certificate presented to the client in TLS/SSL connections.\n", + "name": "chosen_cert.arn", + "type": "keyword" + }, + { + "description": "The serial number of the chosen certificate presented to the client in TLS/SSL connections.\n", + "name": "chosen_cert.serial", + "type": "keyword" + }, + { + "description": "The integer value of TLS alerts received by the load balancer from the client, if present.\n", + "name": "incoming_tls_alert", + "type": "keyword" + }, + { + "description": "The TLS named group.\n", + "name": "tls_named_group", + "type": "keyword" + }, + { + "description": "The contents of the `X-Amzn-Trace-Id` header.\n", + "name": "trace_id", + "type": "keyword" + }, + { + "description": "The priority value of the rule that matched the request, if a rule matched.\n", + "name": "matched_rule_priority", + "type": "keyword" + }, + { + "description": "The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values.\n", + "name": "action_executed", + "type": "keyword" + }, + { + "description": "The URL used if a redirection action was executed.\n", + "name": "redirect_url", + "type": "keyword" + }, + { + "description": "The error reason if the executed action failed.\n", + "name": "error.reason", + "type": "keyword" + } + ], + "name": "elb", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "s3access": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS S3 server access logs.\n", + "fields": [ + { + "description": "The canonical user ID of the owner of the source bucket.\n", + "name": "bucket_owner", + "type": "keyword" + }, + { + "description": "The name of the bucket that the request was processed against.\n", + "name": "bucket", + "type": "keyword" + }, + { + "description": "The apparent internet address of the requester.\n", + "name": "remote_ip", + "type": "ip" + }, + { + "description": "The canonical user ID of the requester, or a - for unauthenticated requests.\n", + "name": "requester", + "type": "keyword" + }, + { + "description": "A string generated by Amazon S3 to uniquely identify each request.\n", + "name": "request_id", + "type": "keyword" + }, + { + "description": "The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.\n", + "name": "operation", + "type": "keyword" + }, + { + "description": "The \"key\" part of the request, URL encoded, or \"-\" if the operation does not take a key parameter.\n", + "name": "key", + "type": "keyword" + }, + { + "description": "The Request-URI part of the HTTP request message.\n", + "name": "request_uri", + "type": "keyword" + }, + { + "description": "The numeric HTTP status code of the response.\n", + "name": "http_status", + "type": "long" + }, + { + "description": "The Amazon S3 Error Code, or \"-\" if no error occurred.\n", + "name": "error_code", + "type": "keyword" + }, + { + "description": "The number of response bytes sent, excluding HTTP protocol overhead, or \"-\" if zero.\n", + "name": "bytes_sent", + "type": "long" + }, + { + "description": "The total size of the object in question.\n", + "name": "object_size", + "type": "long" + }, + { + "description": "The number of milliseconds the request was in flight from the server's perspective.\n", + "name": "total_time", + "type": "long" + }, + { + "description": "The number of milliseconds that Amazon S3 spent processing your request.\n", + "name": "turn_around_time", + "type": "long" + }, + { + "description": "The value of the HTTP Referrer header, if present.\n", + "name": "referrer", + "type": "keyword" + }, + { + "description": "The value of the HTTP User-Agent header.\n", + "name": "user_agent", + "type": "keyword" + }, + { + "description": "The version ID in the request, or \"-\" if the operation does not take a versionId parameter.\n", + "name": "version_id", + "type": "keyword" + }, + { + "description": "The x-amz-id-2 or Amazon S3 extended request ID.\n", + "name": "host_id", + "type": "keyword" + }, + { + "description": "The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.\n", + "name": "signature_version", + "type": "keyword" + }, + { + "description": "The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.\n", + "name": "cipher_suite", + "type": "keyword" + }, + { + "description": "The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.\n", + "name": "authentication_type", + "type": "keyword" + }, + { + "description": "The endpoint used to connect to Amazon S3.\n", + "name": "host_header", + "type": "keyword" + }, + { + "description": "The Transport Layer Security (TLS) version negotiated by the client.\n", + "name": "tls_version", + "type": "keyword" + } + ], + "name": "s3access", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "vpcflow": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for AWS VPC flow logs.\n", + "fields": [ + { + "description": "The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "The AWS account ID for the flow log.\n", + "name": "account_id", + "type": "keyword" + }, + { + "description": "The ID of the network interface for which the traffic is recorded.\n", + "name": "interface_id", + "type": "keyword" + }, + { + "description": "The action that is associated with the traffic, ACCEPT or REJECT.\n", + "name": "action", + "type": "keyword" + }, + { + "description": "The logging status of the flow log, OK, NODATA or SKIPDATA.\n", + "name": "log_status", + "type": "keyword" + }, + { + "description": "The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you.\n", + "name": "instance_id", + "type": "keyword" + }, + { + "description": "The packet-level (original) source IP address of the traffic.\n", + "name": "pkt_srcaddr", + "type": "ip" + }, + { + "description": "The packet-level (original) destination IP address for the traffic.\n", + "name": "pkt_dstaddr", + "type": "ip" + }, + { + "description": "The ID of the VPC that contains the network interface for which the traffic is recorded.\n", + "name": "vpc_id", + "type": "keyword" + }, + { + "description": "The ID of the subnet that contains the network interface for which the traffic is recorded.\n", + "name": "subnet_id", + "type": "keyword" + }, + { + "description": "The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST\n", + "name": "tcp_flags", + "type": "keyword" + }, + { + "description": "The type of traffic: IPv4, IPv6, or EFA.\n", + "name": "type", + "type": "keyword" + } + ], + "name": "vpcflow", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "azure": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "activitylogs": { + "enabled": true, + "var": { + "connection_string": "", + "consumer_group": "$Default", + "eventhub": "insights-operational-logs", + "storage_account": "", + "storage_account_key": "" + } + }, + "auditlogs": { + "enabled": false + }, + "module": "azure", + "signinlogs": { + "enabled": false + } + } + ], + "fields.yml": [ + { + "description": "Azure Module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Azure subscription ID\n", + "name": "subscription_id", + "type": "keyword" + }, + { + "description": "Correlation ID\n", + "name": "correlation_id", + "type": "keyword" + }, + { + "description": "tenant ID\n", + "name": "tenant_id", + "type": "keyword" + }, + { + "description": "Resource\n", + "fields": [ + { + "description": "Resource ID\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Resource group\n", + "name": "group", + "type": "keyword" + }, + { + "description": "Resource type/namespace\n", + "name": "provider", + "type": "keyword" + }, + { + "description": "Resource type/namespace\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "Name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Authorization rule\n", + "name": "authorization_rule", + "type": "keyword" + } + ], + "name": "resource", + "type": "group" + } + ], + "name": "azure", + "type": "group" + } + ], + "key": "azure", + "release": "beta", + "title": "Azure" + } + ] + } + }, + "activitylogs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for Azure activity logs.\n", + "fields": [ + { + "description": "Identity\n", + "fields": [ + { + "description": "Claims initiated by user\n", + "fields": [ + { + "description": "Name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Givenname\n", + "name": "givenname", + "type": "keyword" + }, + { + "description": "Surname\n", + "name": "surname", + "type": "keyword" + }, + { + "description": "Fullname\n", + "name": "fullname", + "type": "keyword" + }, + { + "description": "Schema\n", + "name": "schema", + "type": "keyword" + } + ], + "name": "claims_initiated_by_user", + "type": "group" + }, + { + "description": "Claims\n", + "name": "claims.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Authorization\n", + "fields": [ + { + "description": "Scope\n", + "name": "scope", + "type": "keyword" + }, + { + "description": "Action\n", + "name": "action", + "type": "keyword" + }, + { + "description": "Evidence\n", + "fields": [ + { + "description": "Role assignment scope\n", + "name": "role_assignment_scope", + "type": "keyword" + }, + { + "description": "Role definition ID\n", + "name": "role_definition_id", + "type": "keyword" + }, + { + "description": "Role\n", + "name": "role", + "type": "keyword" + }, + { + "description": "Role assignment ID\n", + "name": "role_assignment_id", + "type": "keyword" + }, + { + "description": "Principal ID\n", + "name": "principal_id", + "type": "keyword" + }, + { + "description": "Principal type\n", + "name": "principal_type", + "type": "keyword" + } + ], + "name": "evidence", + "type": "group" + } + ], + "name": "authorization", + "type": "group" + } + ], + "name": "identity", + "type": "group" + }, + { + "description": "Operation name\n", + "name": "operation_name", + "type": "keyword" + }, + { + "description": "Result type\n", + "name": "result_type", + "type": "keyword" + }, + { + "description": "Result signature\n", + "name": "result_signature", + "type": "keyword" + }, + { + "description": "Category\n", + "name": "category", + "type": "keyword" + }, + { + "description": "Event Category\n", + "name": "event_category", + "type": "keyword" + }, + { + "description": "Properties\n", + "fields": [ + { + "description": "Service Request Id\n", + "name": "service_request_id", + "type": "keyword" + }, + { + "description": "Status code\n", + "name": "status_code", + "type": "keyword" + } + ], + "name": "properties", + "type": "group" + } + ], + "name": "activitylogs", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "auditlogs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for Azure audit logs.\n", + "fields": [ + { + "description": "The category of the operation. Currently, Audit is the only supported value.\n", + "name": "category", + "type": "keyword" + }, + { + "description": "The operation name\n", + "name": "operation_name", + "type": "keyword" + }, + { + "description": "The operation version\n", + "name": "operation_version", + "type": "keyword" + }, + { + "description": "Identity\n", + "name": "identity", + "type": "keyword" + }, + { + "description": "Tenant ID\n", + "name": "tenant_id", + "type": "keyword" + }, + { + "description": "Result signature\n", + "name": "result_signature", + "type": "keyword" + }, + { + "description": "The audit log properties\n", + "fields": [ + { + "description": "Log result\n", + "name": "result", + "type": "keyword" + }, + { + "description": "Activity display name\n", + "name": "activity_display_name", + "type": "keyword" + }, + { + "description": "Reason for the log result\n", + "name": "result_reason", + "type": "keyword" + }, + { + "description": "Correlation ID\n", + "name": "correlation_id", + "type": "keyword" + }, + { + "description": "Logged by service\n", + "name": "logged_by_service", + "type": "keyword" + }, + { + "description": "Operation type\n", + "name": "operation_type", + "type": "keyword" + }, + { + "description": "ID\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Activity timestamp\n", + "name": "activity_datetime", + "type": "date" + }, + { + "description": "category\n", + "name": "category", + "type": "keyword" + }, + { + "description": "Target resources\n", + "fields": [ + { + "description": "Display name\n", + "name": "display_name", + "type": "keyword" + }, + { + "description": "ID\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Type\n", + "name": "type", + "type": "keyword" + }, + { + "description": "ip Address\n", + "name": "ip_address", + "type": "keyword" + }, + { + "description": "User principal name\n", + "name": "user_principal_name", + "type": "keyword" + }, + { + "description": "Modified properties\n", + "fields": [ + { + "description": "New value\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "Display value\n", + "name": "display_name", + "type": "keyword" + }, + { + "description": "Old value\n", + "name": "old_value", + "type": "keyword" + } + ], + "name": "modified_properties.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "group" + } + ], + "name": "target_resources.*", + "object_type_mapping_type": "*", + "type": "group" + }, + { + "description": "Information regarding the initiator\n", + "fields": [ + { + "description": "App\n", + "fields": [ + { + "description": "Service principal name\n", + "name": "servicePrincipalName", + "type": "keyword" + }, + { + "description": "Display name\n", + "name": "displayName", + "type": "keyword" + }, + { + "description": "App ID\n", + "name": "appId", + "type": "keyword" + }, + { + "description": "Service principal ID\n", + "name": "servicePrincipalId", + "type": "keyword" + } + ], + "name": "app", + "type": "group" + }, + { + "description": "User\n", + "fields": [ + { + "description": "User principal name\n", + "name": "userPrincipalName", + "type": "keyword" + }, + { + "description": "Display name\n", + "name": "displayName", + "type": "keyword" + }, + { + "description": "ID\n", + "name": "id", + "type": "keyword" + }, + { + "description": "ip Address\n", + "name": "ipAddress", + "type": "keyword" + } + ], + "name": "user", + "type": "group" + } + ], + "name": "initiated_by", + "type": "group" + } + ], + "name": "properties", + "type": "group" + } + ], + "name": "auditlogs", + "type": "group" + } + ] + } + } + } + }, + "signinlogs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for Azure sign-in logs.\n", + "fields": [ + { + "description": "The operation name\n", + "name": "operation_name", + "type": "keyword" + }, + { + "description": "The operation version\n", + "name": "operation_version", + "type": "keyword" + }, + { + "description": "Tenant ID\n", + "name": "tenant_id", + "type": "keyword" + }, + { + "description": "Result signature\n", + "name": "result_signature", + "type": "keyword" + }, + { + "description": "Result description\n", + "name": "result_description", + "type": "keyword" + }, + { + "description": "Result type\n", + "name": "result_type", + "type": "keyword" + }, + { + "description": "Identity\n", + "name": "identity", + "type": "keyword" + }, + { + "description": "Category\n", + "name": "category", + "type": "keyword" + }, + { + "description": "The signin log properties\n", + "fields": [ + { + "description": "ID\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Created date time\n", + "name": "created_at", + "type": "date" + }, + { + "description": "User display name\n", + "name": "user_display_name", + "type": "keyword" + }, + { + "description": "Correlation ID\n", + "name": "correlation_id", + "type": "keyword" + }, + { + "description": "User principal name\n", + "name": "user_principal_name", + "type": "keyword" + }, + { + "description": "User ID\n", + "name": "user_id", + "type": "keyword" + }, + { + "description": "App ID\n", + "name": "app_id", + "type": "keyword" + }, + { + "description": "App display name\n", + "name": "app_display_name", + "type": "keyword" + }, + { + "description": "Ip address\n", + "name": "ip_address", + "type": "keyword" + }, + { + "description": "Client app used\n", + "name": "client_app_used", + "type": "keyword" + }, + { + "description": "Conditional access status\n", + "name": "conditional_access_status", + "type": "keyword" + }, + { + "description": "Original request ID\n", + "name": "original_request_id", + "type": "keyword" + }, + { + "description": "Is interactive\n", + "name": "is_interactive", + "type": "keyword" + }, + { + "description": "Token issuer name\n", + "name": "token_issuer_name", + "type": "keyword" + }, + { + "description": "Token issuer type\n", + "name": "token_issuer_type", + "type": "keyword" + }, + { + "description": "Processing time in milliseconds\n", + "name": "processing_time_ms", + "type": "float" + }, + { + "description": "Risk detail\n", + "name": "risk_detail", + "type": "keyword" + }, + { + "description": "Risk level aggregated\n", + "name": "risk_level_aggregated", + "type": "keyword" + }, + { + "description": "Risk level during signIn\n", + "name": "risk_level_during_signin", + "type": "keyword" + }, + { + "description": "Risk state\n", + "name": "risk_state", + "type": "keyword" + }, + { + "description": "Resource display name\n", + "name": "resource_display_name", + "type": "keyword" + }, + { + "description": "Status\n", + "fields": [ + { + "description": "Error code\n", + "name": "error_code", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + }, + { + "description": "Status\n", + "fields": [ + { + "description": "Device ID\n", + "name": "device_id", + "type": "keyword" + }, + { + "description": "Operating system\n", + "name": "operating_system", + "type": "keyword" + }, + { + "description": "Browser\n", + "name": "browser", + "type": "keyword" + }, + { + "description": "Display name\n", + "name": "display_name", + "type": "keyword" + }, + { + "description": "Trust type\n", + "name": "trust_type", + "type": "keyword" + } + ], + "name": "device_detail", + "type": "group" + }, + { + "description": "Status\n", + "name": "service_principal_id", + "type": "keyword" + } + ], + "name": "properties", + "type": "group" + } + ], + "name": "signinlogs", + "type": "group" + } + ] + } + } + } + } + } + }, + "barracuda": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "barracuda", + "waf": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "barracuda fields.\n", + "fields": null, + "key": "barracuda", + "title": "Barracuda Web Application Firewall" + } + ] + } + }, + "waf": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "bluecoat": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "director": { + "enabled": true + }, + "module": "bluecoat" + } + ], + "fields.yml": [ + { + "description": "bluecoat fields.\n", + "fields": null, + "key": "bluecoat", + "title": "Blue Coat Director" + } + ] + } + }, + "director": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "cef": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true, + "var": { + "syslog_host": "localhost", + "syslog_port": 9003 + } + }, + "module": "cef" + } + ], + "fields.yml": [ + { + "description": "Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.\n", + "fields": null, + "key": "cef-module", + "title": "CEF" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields for Forcepoint Custom String mappings\n", + "fields": [ + { + "description": "Virus ID\n", + "name": "virus_id", + "type": "keyword" + } + ], + "name": "forcepoint", + "type": "group" + }, + { + "default_field": false, + "description": "Fields for Check Point custom string mappings.\n", + "fields": [ + { + "description": "Application risk.", + "name": "app_risk", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application threat severity.", + "name": "app_severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The signature ID which the application was detected by.", + "name": "app_sig_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Password authentication protocol used.", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Category.", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Confidence level determined.", + "name": "confidence_level", + "overwrite": true, + "type": "integer" + }, + { + "description": "Connectivity state.", + "name": "connectivity_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IKE cookie.", + "name": "cookie", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination IP-Phone.", + "name": "dst_phone_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Engine name.", + "name": "email_control", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Internal email ID.", + "name": "email_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of recipients.", + "name": "email_recipients_num", + "overwrite": true, + "type": "long" + }, + { + "description": "Internal email session ID.", + "name": "email_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Internal email spool ID.", + "name": "email_spool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Email subject.", + "name": "email_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of events associated with the log.", + "name": "event_count", + "overwrite": true, + "type": "long" + }, + { + "description": "Scan frequency.", + "name": "frequency", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ICMP type.", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "ICMP code.", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "Identity type.", + "name": "identity_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Format of original data.", + "name": "incident_extension", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan invoke type.", + "name": "integrity_av_invoke_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Malware family.", + "name": "malware_family", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Main IP of the peer Security Gateway.", + "name": "peer_gateway", + "overwrite": true, + "type": "ip" + }, + { + "description": "Protection performance impact.", + "name": "performance_impact", + "overwrite": true, + "type": "integer" + }, + { + "description": "Protection malware ID.", + "name": "protection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Specific signature name of the attack.", + "name": "protection_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Type of protection used to detect the attack.", + "name": "protection_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan result.", + "name": "scan_result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Sensor mode.", + "name": "sensor_mode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Threat severity.", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Spyware name.", + "name": "spyware_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Spyware status.", + "name": "spyware_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The expiration date of the subscription.", + "name": "subs_exp", + "overwrite": true, + "type": "date" + }, + { + "description": "TCP packet flags.", + "name": "tcp_flags", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Termination reason.", + "name": "termination_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Update status.", + "name": "update_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User response.", + "name": "user_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "External ID.", + "name": "uuid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Virus name.", + "name": "virus_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "VoIP log types.", + "name": "voip_log_type", + "overwrite": true, + "type": "keyword" + } + ], + "name": "checkpoint", + "type": "group" + }, + { + "default_field": false, + "description": "Extra vendor-specific extensions.\n", + "fields": [ + { + "name": "cp_app_risk", + "type": "keyword" + }, + { + "name": "cp_severity", + "type": "keyword" + }, + { + "name": "ifname", + "type": "keyword" + }, + { + "name": "inzone", + "type": "keyword" + }, + { + "name": "layer_uuid", + "type": "keyword" + }, + { + "name": "layer_name", + "type": "keyword" + }, + { + "name": "logid", + "type": "keyword" + }, + { + "name": "loguid", + "type": "keyword" + }, + { + "name": "match_id", + "type": "keyword" + }, + { + "name": "nat_addtnl_rulenum", + "type": "keyword" + }, + { + "name": "nat_rulenum", + "type": "keyword" + }, + { + "name": "origin", + "type": "keyword" + }, + { + "name": "originsicname", + "type": "keyword" + }, + { + "name": "outzone", + "type": "keyword" + }, + { + "name": "parent_rule", + "type": "keyword" + }, + { + "name": "product", + "type": "keyword" + }, + { + "name": "rule_action", + "type": "keyword" + }, + { + "name": "rule_uid", + "type": "keyword" + }, + { + "name": "sequencenum", + "type": "keyword" + }, + { + "name": "service_id", + "type": "keyword" + }, + { + "name": "version", + "type": "keyword" + } + ], + "name": "cef.extensions", + "type": "group" + } + ] + } + } + } + } + } + }, + "checkpoint": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "firewall": { + "enabled": true + }, + "module": "checkpoint" + } + ], + "fields.yml": [ + { + "description": "Some checkpoint module\n", + "fields": null, + "key": "checkpoint", + "title": "Checkpoint" + } + ] + } + }, + "firewall": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Module for parsing Checkpoint syslog.\n", + "fields": [ + { + "description": "Confidence level determined by ThreatCloud.\n", + "name": "confidence_level", + "overwrite": true, + "type": "integer" + }, + { + "description": "Log description.\n", + "name": "calc_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination country.\n", + "name": "dst_country", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connected user name on the destination IP.\n", + "name": "dst_user_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Email number in smtp connection.\n", + "name": "email_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Original email subject.\n", + "name": "email_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connection uuid.\n", + "name": "email_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of events associated with the log.\n", + "name": "event_count", + "overwrite": true, + "type": "long" + }, + { + "description": "System messages\n", + "name": "sys_message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "System messages\n", + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The impact of update service failure.\n", + "name": "failure_impact", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Override application ID.\n", + "name": "id", + "overwrite": true, + "type": "integer" + }, + { + "description": "Policy installation status for a specific blade.\n", + "name": "information", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Layer name.\n", + "name": "layer_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Layer UUID.\n", + "name": "layer_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique identity for logs.\n", + "name": "log_id", + "overwrite": true, + "type": "integer" + }, + { + "description": "Additional information on protection.\n", + "name": "malware_family", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Machine SIC.\n", + "name": "origin_sic_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of the Management Server that manages this Security Gateway.\n", + "name": "policy_mgmt", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of the last policy that this Security Gateway fetched.\n", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Protection malware id.\n", + "name": "protection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Specific signature name of the attack.\n", + "name": "protection_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Type of protection used to detect the attack.\n", + "name": "protection_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Protocol detected on the connection.\n", + "name": "protocol", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Sender source IP (even when using proxy).\n", + "name": "proxy_src_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "Matched rule number.\n", + "name": "rule", + "overwrite": true, + "type": "integer" + }, + { + "description": "Action of the matched rule in the access policy.\n", + "name": "rule_action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan direction.\n", + "name": "scan_direction", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Log uuid.\n", + "name": "session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "OS which generated the attack.\n", + "name": "source_os", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Country name, derived from connection source IP address.\n", + "name": "src_country", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User name connected to source IP\n", + "name": "src_user_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique ID per file.\n", + "name": "ticket_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNI/CN from encrypted TLS connection used by URLF for categorization.\n", + "name": "tls_server_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "TE engine verdict Possible values: Malicious/Benign/Error.\n", + "name": "verdict", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source user name.\n", + "name": "user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The vendor name that provided the verdict for a malicious URL.\n", + "name": "vendor_list", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web server detected in the HTTP response.\n", + "name": "web_server_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Client Application or Software Blade that detected the event.\n", + "name": "client_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Build version of SandBlast Agent client installed on the computer.\n", + "name": "client_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Build version of the SandBlast Agent browser extension.\n", + "name": "extension_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Local time on the endpoint computer.\n", + "name": "host_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of installed Endpoint Software Blades.\n", + "name": "installed_products", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The Carbon Copy address of the email.\n", + "name": "cc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Owner username of the parent process of the process that triggered the attack.\n", + "name": "parent_process_username", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Owner username of the process that triggered the attack.\n", + "name": "process_username", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Audit Status. Can be Success or Failure.\n", + "name": "audit_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Table of affected objects.\n", + "name": "objecttable", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The type of the affected object.\n", + "name": "objecttype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The operation nuber.\n", + "name": "operation_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Amount of recipients whom the mail was sent to.\n", + "name": "email_recipients_num", + "overwrite": true, + "type": "integer" + }, + { + "description": "Aggregated connections for five minutes on the same source, destination and port.\n", + "name": "suppressed_logs", + "overwrite": true, + "type": "integer" + }, + { + "description": "Blade name.\n", + "name": "blade_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Ok/Warning/Error.\n", + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Short description of the process that was executed.\n", + "name": "short_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "More information on the process (usually describing error reason in failure).\n", + "name": "long_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of unique hosts during the last hour.\n", + "name": "scan_hosts_hour", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of unique hosts during the last day.\n", + "name": "scan_hosts_day", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of unique hosts during the last week.\n", + "name": "scan_hosts_week", + "overwrite": true, + "type": "integer" + }, + { + "description": "Detected virus for a specific host during the last hour.\n", + "name": "unique_detected_hour", + "overwrite": true, + "type": "integer" + }, + { + "description": "Detected virus for a specific host during the last day.\n", + "name": "unique_detected_day", + "overwrite": true, + "type": "integer" + }, + { + "description": "Detected virus for a specific host during the last week.\n", + "name": "unique_detected_week", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of emails that were scanned by \"AB malicious activity\" engine.\n", + "name": "scan_mail", + "overwrite": true, + "type": "integer" + }, + { + "description": "DNS host name.\n", + "name": "additional_ip", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Additional explanation how the security gateway enforced the connection.\n", + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Email categories. Possible values: spam/not spam/phishing.\n", + "name": "email_spam_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Message classification, received from spam vendor engine.\n", + "name": "email_control_analysis", + "overwrite": true, + "type": "keyword" + }, + { + "description": "\"Infected\"/description of a failure.\n", + "name": "scan_results", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Original postfix email queue id.\n", + "name": "original_queue_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Risk level we got from the engine.\n", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC observable signature name.\n", + "name": "observable_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC observable signature id.\n", + "name": "observable_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC observable signature description.\n", + "name": "observable_comment", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC indicator name.\n", + "name": "indicator_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC indicator description.\n", + "name": "indicator_description", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC indicator reference.\n", + "name": "indicator_reference", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IOC indicator uuid.\n", + "name": "indicator_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application description.\n", + "name": "app_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application ID.\n", + "name": "app_id", + "overwrite": true, + "type": "integer" + }, + { + "description": "IOC indicator description.\n", + "name": "app_sig_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTPS resource Possible values: SNI or domain name (DN).\n", + "name": "certificate_resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Precise error, describing HTTPS certificate failure under \"HTTPS categorize websites\" feature.\n", + "name": "certificate_validation", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application session browse time.\n", + "name": "browse_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Indicates whether data limit was requested for the session.\n", + "name": "limit_requested", + "overwrite": true, + "type": "integer" + }, + { + "description": "Indicates whether the session was actually date limited.\n", + "name": "limit_applied", + "overwrite": true, + "type": "integer" + }, + { + "description": "Amount of dropped packets (both incoming and outgoing).\n", + "name": "dropped_total", + "overwrite": true, + "type": "integer" + }, + { + "description": "Client OS detected in the HTTP request.\n", + "name": "client_type_os", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application name.\n", + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application categories.\n", + "name": "properties", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Application's signature ID which how it was detected by.\n", + "name": "sig_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Override application description.\n", + "name": "desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "UUID of the current log.\n", + "name": "referrer_self_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Log UUID of the referring application.\n", + "name": "referrer_parent_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Browse time required for the connection.\n", + "name": "needs_browse_time", + "overwrite": true, + "type": "integer" + }, + { + "description": "Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.\n", + "name": "cluster_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Sync status and the reason (stable, at risk).\n", + "name": "sync", + "overwrite": true, + "type": "keyword" + }, + { + "description": "File direction. Possible options: upload/download.\n", + "name": "file_direction", + "overwrite": true, + "type": "keyword" + }, + { + "description": "File_size field is valid only if this field is set to 0.\n", + "name": "invalid_file_size", + "overwrite": true, + "type": "integer" + }, + { + "description": "In case of archive file: the file that was sent/received.\n", + "name": "top_archive_file_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Data type in rulebase that was matched.\n", + "name": "data_type_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Compound/Group scenario, data type that was matched.\n", + "name": "specific_data_type_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Words matched by data type.\n", + "name": "word_list", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Special log message.\n", + "name": "info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "URL related to this log (for HTTP).\n", + "name": "outgoing_url", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Matched rule name.\n", + "name": "dlp_rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mail recipients.\n", + "name": "dlp_recipients", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mail subject.\n", + "name": "dlp_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Phrases matched by data type.\n", + "name": "dlp_word_list", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Template data type match score.\n", + "name": "dlp_template_score", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mail/post size.\n", + "name": "message_size", + "overwrite": true, + "type": "integer" + }, + { + "description": "Unique ID of the matched rule.\n", + "name": "dlp_incident_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Other ID related to this one.\n", + "name": "dlp_related_incident_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Matched data type.\n", + "name": "dlp_data_type_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique ID of the matched data type.\n", + "name": "dlp_data_type_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Violation descriptions described in the rulebase.\n", + "name": "dlp_violation_description", + "overwrite": true, + "type": "keyword" + }, + { + "description": "In case of Compound/Group: the inner data types that were matched.\n", + "name": "dlp_relevant_data_types", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Action chosen reason.\n", + "name": "dlp_action_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Data type category.\n", + "name": "dlp_categories", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTP/SMTP/FTP.\n", + "name": "dlp_transint", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Log marked as duplicated, when mail is split and the Security Gateway sees it twice.\n", + "name": "duplicate", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Matched data type.\n", + "name": "incident_extension", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique ID of the matched data type.\n", + "name": "matched_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Fingerprint: number of text segments matched by this traffic.\n", + "name": "matched_file_text_segments", + "overwrite": true, + "type": "integer" + }, + { + "description": "Fingerprint: match percentage of the traffic.\n", + "name": "matched_file_percentage", + "overwrite": true, + "type": "integer" + }, + { + "description": "Watermark/None.\n", + "name": "dlp_additional_action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Watermark which was applied.\n", + "name": "dlp_watermark_profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of scanned repository.\n", + "name": "dlp_repository_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Repository path.\n", + "name": "dlp_repository_root_path", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Sequential number of scan.\n", + "name": "scan_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "If this field is set to '1' the log will not be shown (in use for monitoring scan progress).\n", + "name": "special_properties", + "overwrite": true, + "type": "integer" + }, + { + "description": "Repository size.\n", + "name": "dlp_repository_total_size", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of files in repository.\n", + "name": "dlp_repository_files_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of scanned files in repository.\n", + "name": "dlp_repository_scanned_files_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Scan duration. \n", + "name": "duration", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan status - long format.\n", + "name": "dlp_fingerprint_long_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan status - short format.\n", + "name": "dlp_fingerprint_short_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of directories in repository.\n", + "name": "dlp_repository_directories_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of directories the Security Gateway was unable to read.\n", + "name": "dlp_repository_unreachable_directories_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of successfully scanned files in repository.\n", + "name": "dlp_fingerprint_files_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Skipped number of files because of configuration.\n", + "name": "dlp_repository_skipped_files_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Amount of directories scanned.\n", + "name": "dlp_repository_scanned_directories_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of files that were not scanned due to an error.\n", + "name": "number_of_errors", + "overwrite": true, + "type": "integer" + }, + { + "description": "Next scan scheduled time according to time object. \n", + "name": "next_scheduled_scan_date", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Size scanned.\n", + "name": "dlp_repository_scanned_total_size", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of scanned directories in repository.\n", + "name": "dlp_repository_reached_directories_number", + "overwrite": true, + "type": "integer" + }, + { + "description": "Percentage of directories the Security Gateway was unable to read.\n", + "name": "dlp_repository_not_scanned_directories_percentage", + "overwrite": true, + "type": "integer" + }, + { + "description": "Current scan speed.\n", + "name": "speed", + "overwrite": true, + "type": "integer" + }, + { + "description": "Scan percentage.\n", + "name": "dlp_repository_scan_progress", + "overwrite": true, + "type": "integer" + }, + { + "description": "Layer name.\n", + "name": "sub_policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Layer uid.\n", + "name": "sub_policy_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Used for various firewall errors.\n", + "name": "fw_message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ISP link has failed.\n", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of ISP link.\n", + "name": "isp_link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Can be vpn/non vpn.\n", + "name": "fw_subproduct", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Error information, what caused sctp to fail on out_of_state.\n", + "name": "sctp_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Chunck of the sctp stream.\n", + "name": "chunk_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The bad state you were trying to update to.\n", + "name": "sctp_association_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "State violation.\n", + "name": "tcp_packet_out_of_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "TCP packet flags (SYN, ACK, etc.,).\n", + "name": "tcp_flags", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Log for a new connection in wire mode.\n", + "name": "connectivity_level", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IP option that was dropped.\n", + "name": "ip_option", + "overwrite": true, + "type": "integer" + }, + { + "description": "Log reinting a tcp state change.\n", + "name": "tcp_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connection closing time.\n", + "name": "expire_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "In case a connection is ICMP, type info will be added to the log.\n", + "name": "icmp_type", + "overwrite": true, + "type": "integer" + }, + { + "description": "In case a connection is ICMP, code info will be added to the log.\n", + "name": "icmp_code", + "overwrite": true, + "type": "integer" + }, + { + "description": "Log for new RPC state - prog values.\n", + "name": "rpc_prog", + "overwrite": true, + "type": "integer" + }, + { + "description": "Log for new RPC state - UUID values\n", + "name": "dce-rpc_interface_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Time passed since start time.\n", + "name": "elapsed", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of packets, received by the client.\n", + "name": "icmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "UUID generated for the capture. Used when enabling the capture when logging.\n", + "name": "capture_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The ID of diameter application.\n", + "name": "diameter_app_ID", + "overwrite": true, + "type": "integer" + }, + { + "description": "Diameter not allowed application command id.\n", + "name": "diameter_cmd_code", + "overwrite": true, + "type": "integer" + }, + { + "description": "Diameter message type.\n", + "name": "diameter_msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Used to log a general message.\n", + "name": "cp_message", + "overwrite": true, + "type": "integer" + }, + { + "description": "Time left before deleting template.\n", + "name": "log_delay", + "overwrite": true, + "type": "integer" + }, + { + "description": "In case of a malicious event on an endpoint computer, the status of the attack.\n", + "name": "attack_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "In case of an infection on an endpoint computer, the list of files that the malware impacted.\n", + "name": "impacted_files", + "overwrite": true, + "type": "keyword" + }, + { + "description": "In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.\n", + "name": "remediated_files", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The name of the mechanism that triggered the Software Blade to enforce a protection.\n", + "name": "triggered_by", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the matched rule.\n", + "name": "https_inspection_rule_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of the matched rule.\n", + "name": "https_inspection_rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of all found categories.\n", + "name": "app_properties", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Precise error, describing HTTPS inspection failure.\n", + "name": "https_validation", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTPS inspection action (Inspect/Bypass/Error).\n", + "name": "https_inspection_action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Service ID, can work with multiple servers, treated as services.\n", + "name": "icap_service_id", + "overwrite": true, + "type": "integer" + }, + { + "description": "Server name.\n", + "name": "icap_server_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Internal error, for troubleshooting\n", + "name": "internal_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Free text for verdict.\n", + "name": "icap_more_info", + "overwrite": true, + "type": "integer" + }, + { + "description": "ICAP reply status code, e.g. 200 or 204.\n", + "name": "reply_status", + "overwrite": true, + "type": "integer" + }, + { + "description": "Service name, as given in the ICAP URI\n", + "name": "icap_server_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).\n", + "name": "mirror_and_decrypt_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Designated interface for mirror And decrypt.\n", + "name": "interface_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTP session-id.\n", + "name": "session_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IP address of the broker publisher who shared the session information.\n", + "name": "broker_publisher", + "overwrite": true, + "type": "ip" + }, + { + "description": "User distinguished name connected to source IP.\n", + "name": "src_user_dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User name connected to proxy IP.\n", + "name": "proxy_user_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Machine name connected to proxy IP.\n", + "name": "proxy_machine_name", + "overwrite": true, + "type": "integer" + }, + { + "description": "User distinguished name connected to proxy IP.\n", + "name": "proxy_user_dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "DNS query.\n", + "name": "query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "DNS query.\n", + "name": "dns_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Blade element performed inspection.\n", + "name": "inspection_item", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Protection performance impact.\n", + "name": "performance_impact", + "overwrite": true, + "type": "integer" + }, + { + "description": "Inspection category: protocol anomaly, signature etc.\n", + "name": "inspection_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Profile which the activated protection belongs to.\n", + "name": "inspection_profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Summary message of a non-compliant DNS traffic drops or detects.\n", + "name": "summary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of question records domains.\n", + "name": "question_rdata", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of answer resource records to the questioned domains.\n", + "name": "answer_rdata", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of authoritative servers.\n", + "name": "authority_rdata", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of additional resource records.\n", + "name": "additional_rdata", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of files requested by FTP.\n", + "name": "files_names", + "overwrite": true, + "type": "keyword" + }, + { + "description": "FTP username.\n", + "name": "ftp_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Sender's address.\n", + "name": "mime_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of receiver address.\n", + "name": "mime_to", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of BCC addresses.\n", + "name": "bcc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mail content type. Possible values: application/msword, text/html, image/gif etc.\n", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "String identifying requesting software user agent.\n", + "name": "user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Referrer HTTP request header, previous web page address.\n", + "name": "referrer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Response header, indicates the URL to redirect a page to.\n", + "name": "http_location", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Indicates how the content is expected to be displayed inline in the browser.\n", + "name": "content_disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Via header is added by proxies for tracking purposes to avoid sending reqests in loop.\n", + "name": "via", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Server HTTP header value, contains information about the software used by the origin server, which handles the request.\n", + "name": "http_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Indicates the size of the entity-body of the HTTP header.\n", + "name": "content_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Authorization HTTP header value.\n", + "name": "authorization", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Domain name of the server that the HTTP request is sent to.\n", + "name": "http_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Indicats that the log was released by inspection settings.\n", + "name": "inspection_settings_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mobile Access application.\n", + "name": "cvpn_resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Mobile Access application type.\n", + "name": "cvpn_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Translated URL.\n", + "name": "url", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A reject ID that corresponds to the one presented in the Mobile Access error page.\n", + "name": "reject_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The file share protocol used in mobile acess file share application.\n", + "name": "fs-proto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique identifier of the application on the protected mobile device.\n", + "name": "app_package", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of application downloaded on the protected mobile device.\n", + "name": "appi_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Indicates whether the original application was repackage not by the official developer.\n", + "name": "app_repackaged", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unique SHA identifier of a mobile application.\n", + "name": "app_sid_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Version of the application downloaded on the protected mobile device.\n", + "name": "app_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Name of the developer's certificate that was used to sign the mobile application.\n", + "name": "developer_certificate_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Engine name.\n", + "name": "email_control", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Email session id (uniqe ID of the mail).\n", + "name": "email_message_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Postfix email queue id.\n", + "name": "email_queue_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Postfix email queue name.\n", + "name": "email_queue_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Malicious file name.\n", + "name": "file_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "MTA failure description.\n", + "name": "failure_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "String containing all the email headers.\n", + "name": "email_headers", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Email arrival timestamp.\n", + "name": "arrival_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended\n", + "name": "email_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Last time log was updated.\n", + "name": "status_update", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Timestamp of when email was delivered (MTA finished handling the email.\n", + "name": "delivery_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of links in the mail.\n", + "name": "links_num", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of attachments in the mail.\n", + "name": "attachments_num", + "overwrite": true, + "type": "integer" + }, + { + "description": "Mail contents. Possible options: attachments/links & attachments/links/text only.\n", + "name": "email_content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Amount of allocated ports.\n", + "name": "allocated_ports", + "overwrite": true, + "type": "integer" + }, + { + "description": "Capacity of the ports.\n", + "name": "capacity", + "overwrite": true, + "type": "integer" + }, + { + "description": "Percentage of allocated ports.\n", + "name": "ports_usage", + "overwrite": true, + "type": "integer" + }, + { + "description": "4-tuple of an exhausted pool.\n", + "name": "nat_exhausted_pool", + "overwrite": true, + "type": "keyword" + }, + { + "description": "NAT rulebase first matched rule.\n", + "name": "nat_rulenum", + "overwrite": true, + "type": "integer" + }, + { + "description": "When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.\n", + "name": "nat_addtnl_rulenum", + "overwrite": true, + "type": "integer" + }, + { + "description": "Used for information messages, for example:NAT connection has ended.\n", + "name": "message_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "NAT 46 status, in most cases \"enabled\".\n", + "name": "nat46", + "overwrite": true, + "type": "keyword" + }, + { + "description": "TCP connection end time.\n", + "name": "end_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reason for TCP connection closure.\n", + "name": "tcp_end_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Describes NAT allocation for specific subscriber.\n", + "name": "cgnet", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source IP before CGNAT.\n", + "name": "subscriber", + "overwrite": true, + "type": "ip" + }, + { + "description": "Source IP which will be used after CGNAT.\n", + "name": "hide_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "Subscriber start int which will be used for NAT.\n", + "name": "int_start", + "overwrite": true, + "type": "integer" + }, + { + "description": "Subscriber end int which will be used for NAT.\n", + "name": "int_end", + "overwrite": true, + "type": "integer" + }, + { + "description": "Amount of packets dropped.\n", + "name": "packet_amount", + "overwrite": true, + "type": "integer" + }, + { + "description": "Aggregated logs of monitored packets.\n", + "name": "monitor_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Amount of multicast packets dropped.\n", + "name": "drops_amount", + "overwrite": true, + "type": "integer" + }, + { + "description": "Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.\n", + "name": "securexl_message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connections amount of aggregated log info.\n", + "name": "conns_amount", + "overwrite": true, + "type": "integer" + }, + { + "description": "IP related to the attack.\n", + "name": "scope", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Check Point ThreatCloud / emulator name.\n", + "name": "analyzed_on", + "overwrite": true, + "type": "keyword" + }, + { + "description": "System and applications version the file was emulated on.\n", + "name": "detected_on", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of names dropped from the original file.\n", + "name": "dropped_file_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of file types dropped from the original file.\n", + "name": "dropped_file_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of file hashes dropped from the original file.\n", + "name": "dropped_file_hash", + "overwrite": true, + "type": "keyword" + }, + { + "description": "List of file verdics dropped from the original file.\n", + "name": "dropped_file_verdict", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Images the files were emulated on.\n", + "name": "emulated_on", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Types of extracted files in case of an archive.\n", + "name": "extracted_file_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Names of extracted files in case of an archive.\n", + "name": "extracted_file_names", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Archive hash in case of extracted files.\n", + "name": "extracted_file_hash", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Verdict of extracted files in case of an archive.\n", + "name": "extracted_file_verdict", + "overwrite": true, + "type": "keyword" + }, + { + "description": "UID of extracted files in case of an archive.\n", + "name": "extracted_file_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to break into your network.\n", + "name": "mitre_initial_access", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to run malicious code.\n", + "name": "mitre_execution", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to maintain his foothold.\n", + "name": "mitre_persistence", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to gain higher-level permissions.\n", + "name": "mitre_privilege_escalation", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to avoid being detected.\n", + "name": "mitre_defense_evasion", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to steal account names and passwords.\n", + "name": "mitre_credential_access", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to expose information about your environment.\n", + "name": "mitre_discovery", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to explore your environment.\n", + "name": "mitre_lateral_movement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to collect data of interest to achieve his goal.\n", + "name": "mitre_collection", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to communicate with compromised systems in order to control them.\n", + "name": "mitre_command_and_control", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to steal data.\n", + "name": "mitre_exfiltration", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n", + "name": "mitre_impact", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Archive's hash in case of extracted files.\n", + "name": "parent_file_hash", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Archive's name in case of extracted files.\n", + "name": "parent_file_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Archive's UID in case of extracted files.\n", + "name": "parent_file_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Other IoCs similar to the ones found, related to the malicious file.\n", + "name": "similiar_iocs", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Hashes found similar to the malicious file.\n", + "name": "similar_hashes", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Strings found similar to the malicious file.\n", + "name": "similar_strings", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Network action found similar to the malicious file.\n", + "name": "similar_communication", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Emulators determined file verdict.\n", + "name": "te_verdict_determined_by", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Identifier of the packet capture files.\n", + "name": "packet_capture_unique_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The number of attachments in an email.\n", + "name": "total_attachments", + "overwrite": true, + "type": "integer" + }, + { + "description": "ID of original file/mail which are sent by admin.\n", + "name": "additional_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "File risk.\n", + "name": "content_risk", + "overwrite": true, + "type": "integer" + }, + { + "description": "Operation made by Threat Extraction.\n", + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Active content that was found.\n", + "name": "scrubbed_content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Extraction process duration.\n", + "name": "scrub_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "File download time from resource.\n", + "name": "scrub_download_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Threat extraction total file handling time.\n", + "name": "scrub_total_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The result of the extraction\n", + "name": "scrub_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reports whether watermark is added to the cleaned file.\n", + "name": "watermark", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Matched object name on source column.\n", + "name": "source_object", + "overwrite": true, + "type": "integer" + }, + { + "description": "Matched object name on destination column.\n", + "name": "destination_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Drop reason description.\n", + "name": "drop_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Number of hits on a rule.\n", + "name": "hit", + "overwrite": true, + "type": "integer" + }, + { + "description": "Layer number.\n", + "name": "rulebase_id", + "overwrite": true, + "type": "integer" + }, + { + "description": "First hit time in current interval.\n", + "name": "first_hit_time", + "overwrite": true, + "type": "integer" + }, + { + "description": "Last hit time in current interval.\n", + "name": "last_hit_time", + "overwrite": true, + "type": "integer" + }, + { + "description": "Information sent when old connections cannot be matched during policy installation.\n", + "name": "rematch_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connection rematched time.\n", + "name": "last_rematch_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Connection drop reason.\n", + "name": "action_reason", + "overwrite": true, + "type": "integer" + }, + { + "description": "Boolean value indicates whether bytes sent from the client side are used.\n", + "name": "c_bytes", + "overwrite": true, + "type": "integer" + }, + { + "description": "Serial number of the log for a specific connection.\n", + "name": "context_num", + "overwrite": true, + "type": "integer" + }, + { + "description": "Private key of the rule\n", + "name": "match_id", + "overwrite": true, + "type": "integer" + }, + { + "description": "Alert level of matched rule (for connection logs).\n", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Parent rule number, in case of inline layer.\n", + "name": "parent_rule", + "overwrite": true, + "type": "integer" + }, + { + "description": "Rule number.\n", + "name": "match_fk", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of outgoing bytes dropped when using UP-limit feature.\n", + "name": "dropped_outgoing", + "overwrite": true, + "type": "integer" + }, + { + "description": "Number of incoming bytes dropped when using UP-limit feature.\n", + "name": "dropped_incoming", + "overwrite": true, + "type": "integer" + }, + { + "description": "Media used (audio, video, etc.)\n", + "name": "media_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Explains why 'source_ip' isn't allowed to redirect (handover).\n", + "name": "sip_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Registration request.\n", + "name": "voip_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Registered IP-Phones.\n", + "name": "registered_ip-phones", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Registered IP-Phone type.\n", + "name": "voip_reg_user_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Call-ID.\n", + "name": "voip_call_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Registration port.\n", + "name": "voip_reg_int", + "overwrite": true, + "type": "integer" + }, + { + "description": "Registration IP protocol.\n", + "name": "voip_reg_ipp", + "overwrite": true, + "type": "integer" + }, + { + "description": "Registration period.\n", + "name": "voip_reg_period", + "overwrite": true, + "type": "integer" + }, + { + "description": "VoIP log types. Possible values: reject, call, registration.\n", + "name": "voip_log_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source IP-Phone.\n", + "name": "src_phone_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source IP-Phone type.\n", + "name": "voip_from_user_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination IP-Phone.\n", + "name": "dst_phone_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination IP-Phone type.\n", + "name": "voip_to_user_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Call direction: in/out.\n", + "name": "voip_call_dir", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Call state. Possible values: in/out.\n", + "name": "voip_call_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Call termination time stamp.\n", + "name": "voip_call_term_time", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Call duration (seconds).\n", + "name": "voip_duration", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Media int.\n", + "name": "voip_media_port", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Media IP protocol.\n", + "name": "voip_media_ipp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Estimated codec.\n", + "name": "voip_est_codec", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Expiration.\n", + "name": "voip_exp", + "overwrite": true, + "type": "integer" + }, + { + "description": "Attachment size.\n", + "name": "voip_attach_sz", + "overwrite": true, + "type": "integer" + }, + { + "description": "Attachment action Info.\n", + "name": "voip_attach_action_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Estimated codec.\n", + "name": "voip_media_codec", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reject reason.\n", + "name": "voip_reject_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Information.\n", + "name": "voip_reason_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Configuration.\n", + "name": "voip_config", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Registrar server IP address.\n", + "name": "voip_reg_server", + "overwrite": true, + "type": "ip" + }, + { + "description": "Username whose packets are dropped on SCV.\n", + "name": "scv_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Drop reason.\n", + "name": "scv_message_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Authentication status.\n", + "name": "ppp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Describes the scheme used for the log.\n", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Password authentication protocol used (PAP or EAP).\n", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "L2TP machine which triggered the log and the log refers to it.\n", + "name": "machine", + "overwrite": true, + "type": "keyword" + }, + { + "description": "L2TP /IKE / Link Selection.\n", + "name": "vpn_feature_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Authentication failure reason.\n", + "name": "reject_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IP address response status.\n", + "name": "peer_ip_probing_status_update", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IP address which the client connects to.\n", + "name": "peer_ip", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Main IP of the peer Security Gateway.\n", + "name": "peer_gateway", + "overwrite": true, + "type": "ip" + }, + { + "description": "IP address response status.\n", + "name": "link_probing_status_update", + "overwrite": true, + "type": "keyword" + }, + { + "description": "External Interface name for source interface or Null if not found.\n", + "name": "source_interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Next hop IP address.\n", + "name": "next_hop_ip", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Initiator Spi ID.\n", + "name": "srckeyid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Responder Spi ID.\n", + "name": "dstkeyid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Message indicating why the encryption failed.\n", + "name": "encryption_failure", + "overwrite": true, + "type": "keyword" + }, + { + "description": "All QM ids.\n", + "name": "ike_ids", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Community name for the IPSec key and the use of the IKEv.\n", + "name": "community", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IKEMode (PHASE1, PHASE2, etc..).\n", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Initiator cookie.\n", + "name": "cookieI", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Responder cookie.\n", + "name": "cookieR", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Message ID.\n", + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "IPSEc methods.\n", + "name": "methods", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Calculation of md5 of the IP and user name as UID.\n", + "name": "connection_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Site name.\n", + "name": "site_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unknown rule name.\n", + "name": "esod_rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unknown rule action.\n", + "name": "esod_rule_action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Unknown rule type.\n", + "name": "esod_rule_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Non-compliance reason.\n", + "name": "esod_noncompliance_reason", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Associated policies.\n", + "name": "esod_associated_policies", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Spyware name.\n", + "name": "spyware_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Spyware type.\n", + "name": "spyware_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Anti virus type.\n", + "name": "anti_virus_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "End user firewall type.\n", + "name": "end_user_firewall_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Scan failed.\n", + "name": "esod_scan_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Access denied.\n", + "name": "esod_access_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint Connect.\n", + "name": "client_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTP parser error.\n", + "name": "precise_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "HTTP method.\n", + "name": "method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "In case of phishing event, the domain, which the attacker was impersonating.", + "name": "trusted_domain", + "overwrite": true, + "type": "keyword" + } + ], + "name": "checkpoint", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "cisco": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "asa": { + "enabled": true + }, + "ftd": { + "enabled": true + }, + "ios": { + "enabled": true + }, + "module": "cisco", + "nexus": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for handling Cisco network device logs.\n", + "fields": null, + "key": "cisco", + "title": "Cisco" + } + ] + } + }, + "asa": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Cisco ASA Firewall.\n", + "fields": [ + { + "description": "The Cisco ASA message identifier.\n", + "name": "message_id", + "type": "keyword" + }, + { + "description": "Optional suffix after %ASA identifier.\n", + "example": "session", + "name": "suffix", + "type": "keyword" + }, + { + "description": "Source interface for the flow or event.\n", + "name": "source_interface", + "type": "keyword" + }, + { + "description": "Destination interface for the flow or event.\n", + "name": "destination_interface", + "type": "keyword" + }, + { + "description": "Name of the Access Control List rule that matched this event.\n", + "name": "rule_name", + "type": "keyword" + }, + { + "description": "Name of the user that is the source for this event.\n", + "name": "source_username", + "type": "keyword" + }, + { + "description": "Name of the user that is the destination for this event.\n", + "name": "destination_username", + "type": "keyword" + }, + { + "description": "The translated source IP address.\n", + "name": "mapped_source_ip", + "type": "ip" + }, + { + "default_field": false, + "description": "The translated source host.\n", + "name": "mapped_source_host", + "type": "keyword" + }, + { + "description": "The translated source port.\n", + "name": "mapped_source_port", + "type": "long" + }, + { + "description": "The translated destination IP address.\n", + "name": "mapped_destination_ip", + "type": "ip" + }, + { + "default_field": false, + "description": "The translated destination host.\n", + "name": "mapped_destination_host", + "type": "keyword" + }, + { + "description": "The translated destination port.\n", + "name": "mapped_destination_port", + "type": "long" + }, + { + "description": "Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.\n", + "name": "threat_level", + "type": "keyword" + }, + { + "description": "Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.\n", + "name": "threat_category", + "type": "keyword" + }, + { + "description": "Unique identifier for a flow.\n", + "name": "connection_id", + "type": "keyword" + }, + { + "description": "ICMP type.\n", + "name": "icmp_type", + "type": "short" + }, + { + "description": "ICMP code.\n", + "name": "icmp_code", + "type": "short" + }, + { + "default_field": false, + "description": "The VPN connection type\n", + "name": "connection_type", + "type": "keyword" + }, + { + "default_field": false, + "description": "The assigned DAP records\n", + "name": "dap_records", + "type": "keyword" + }, + { + "default_field": false, + "description": "The command line arguments logged by the local audit log\n", + "name": "command_line_arguments", + "type": "keyword" + }, + { + "default_field": false, + "description": "The IP address assigned to a VPN client successfully connecting\n", + "name": "assigned_ip", + "type": "ip" + }, + { + "default_field": false, + "description": "When a users privilege is changed this is the old value\n", + "name": "privilege.old", + "type": "keyword" + }, + { + "default_field": false, + "description": "When a users privilege is changed this is the new value\n", + "name": "privilege.new", + "type": "keyword" + }, + { + "default_field": false, + "description": "The related object for burst warnings\n", + "name": "burst.object", + "type": "keyword" + }, + { + "default_field": false, + "description": "The related rate ID for burst warnings\n", + "name": "burst.id", + "type": "keyword" + }, + { + "default_field": false, + "description": "The current burst rate seen\n", + "name": "burst.current_rate", + "type": "keyword" + }, + { + "default_field": false, + "description": "The current configured burst rate\n", + "name": "burst.configured_rate", + "type": "keyword" + }, + { + "default_field": false, + "description": "The current average burst rate seen\n", + "name": "burst.avg_rate", + "type": "keyword" + }, + { + "default_field": false, + "description": "The current configured average burst rate allowed\n", + "name": "burst.configured_avg_rate", + "type": "keyword" + }, + { + "default_field": false, + "description": "The total count of burst rate hits since the object was created or cleared\n", + "name": "burst.cumulative_count", + "type": "keyword" + } + ], + "name": "cisco.asa", + "type": "group" + } + ] + } + } + } + }, + "ftd": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Cisco Firepower Threat Defense Firewall.\n", + "fields": [ + { + "description": "The Cisco FTD message identifier.\n", + "name": "message_id", + "type": "keyword" + }, + { + "description": "Optional suffix after %FTD identifier.\n", + "example": "session", + "name": "suffix", + "type": "keyword" + }, + { + "description": "Source interface for the flow or event.\n", + "name": "source_interface", + "type": "keyword" + }, + { + "description": "Destination interface for the flow or event.\n", + "name": "destination_interface", + "type": "keyword" + }, + { + "description": "Name of the Access Control List rule that matched this event.\n", + "name": "rule_name", + "type": "keyword" + }, + { + "description": "Name of the user that is the source for this event.\n", + "name": "source_username", + "type": "keyword" + }, + { + "description": "Name of the user that is the destination for this event.\n", + "name": "destination_username", + "type": "keyword" + }, + { + "description": "The translated source IP address. Use ECS source.nat.ip.\n", + "name": "mapped_source_ip", + "type": "ip" + }, + { + "default_field": false, + "description": "The translated source host.\n", + "name": "mapped_source_host", + "type": "keyword" + }, + { + "description": "The translated source port. Use ECS source.nat.port.\n", + "name": "mapped_source_port", + "type": "long" + }, + { + "description": "The translated destination IP address. Use ECS destination.nat.ip.\n", + "name": "mapped_destination_ip", + "type": "ip" + }, + { + "default_field": false, + "description": "The translated destination host.\n", + "name": "mapped_destination_host", + "type": "keyword" + }, + { + "description": "The translated destination port. Use ECS destination.nat.port.\n", + "name": "mapped_destination_port", + "type": "long" + }, + { + "description": "Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.\n", + "name": "threat_level", + "type": "keyword" + }, + { + "description": "Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.\n", + "name": "threat_category", + "type": "keyword" + }, + { + "description": "Unique identifier for a flow.\n", + "name": "connection_id", + "type": "keyword" + }, + { + "description": "ICMP type.\n", + "name": "icmp_type", + "type": "short" + }, + { + "description": "ICMP code.\n", + "name": "icmp_code", + "type": "short" + }, + { + "description": "Raw fields for Security Events.", + "name": "security", + "type": "object" + }, + { + "default_field": false, + "description": "The VPN connection type\n", + "name": "connection_type", + "type": "keyword" + }, + { + "default_field": false, + "description": "The assigned DAP records\n", + "name": "dap_records", + "type": "keyword" + } + ], + "name": "cisco.ftd", + "type": "group" + } + ] + } + } + } + }, + "ios": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Cisco IOS logs.\n", + "fields": [ + { + "description": "Name of the IP access list.\n", + "name": "access_list", + "type": "keyword" + }, + { + "description": "The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.\n", + "example": "SEC", + "name": "facility", + "type": "keyword" + } + ], + "name": "cisco.ios", + "type": "group" + } + ] + } + } + } + }, + "nexus": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "coredns": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "coredns" + } + ], + "fields.yml": [ + { + "description": "Module for handling logs produced by coredns\n", + "fields": [ + { + "description": "coredns fields after normalization\n", + "fields": [ + { + "description": "id of the DNS transaction\n", + "name": "id", + "type": "keyword" + }, + { + "description": "size of the DNS query\n", + "format": "bytes", + "name": "query.size", + "type": "integer" + }, + { + "description": "DNS query class\n", + "name": "query.class", + "type": "keyword" + }, + { + "description": "DNS query name\n", + "name": "query.name", + "type": "keyword" + }, + { + "description": "DNS query type\n", + "name": "query.type", + "type": "keyword" + }, + { + "description": "DNS response code\n", + "name": "response.code", + "type": "keyword" + }, + { + "description": "DNS response flags\n", + "name": "response.flags", + "type": "keyword" + }, + { + "description": "size of the DNS response\n", + "format": "bytes", + "name": "response.size", + "type": "integer" + }, + { + "description": "dnssec flag\n", + "name": "dnssec_ok", + "type": "boolean" + } + ], + "name": "coredns", + "type": "group" + } + ], + "key": "coredns", + "title": "Coredns" + } + ] + } + } + } + }, + "crowdstrike": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "falcon": { + "enabled": true + }, + "module": "crowdstrike" + } + ], + "fields.yml": [ + { + "description": "Module for collecting Crowdstrike events.\n", + "fields": [ + { + "description": "Fields for Crowdstrike Falcon event and alert data.\n", + "fields": null, + "name": "crowdstrike", + "type": "group" + } + ], + "key": "crowdstrike", + "release": "beta", + "title": "Crowdstrike" + } + ] + } + }, + "falcon": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Meta data fields for each event that include type and timestamp.\n", + "fields": [ + { + "description": "DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent\n", + "name": "eventType", + "type": "keyword" + }, + { + "description": "The time this event occurred on the endpoint in UTC UNIX_MS format.\n", + "name": "eventCreationTime", + "type": "date" + }, + { + "description": "Offset number that tracks the location of the event in stream. This is used to identify unique detection events.\n", + "name": "offset", + "type": "integer" + }, + { + "description": "Customer identifier\n", + "name": "customerIDString", + "type": "keyword" + }, + { + "description": "Schema version\n", + "name": "version", + "type": "keyword" + } + ], + "name": "metadata", + "title": "Metadata fields", + "type": "group" + }, + { + "default_field": false, + "description": "Event data fields for each event and alert.\n", + "fields": [ + { + "description": "The process start time in UTC UNIX_MS format.\n", + "name": "ProcessStartTime", + "type": "date" + }, + { + "description": "The process termination time in UTC UNIX_MS format.\n", + "name": "ProcessEndTime", + "type": "date" + }, + { + "description": "Process ID related to the detection.\n", + "name": "ProcessId", + "type": "integer" + }, + { + "description": "Parent process ID related to the detection.\n", + "name": "ParentProcessId", + "type": "integer" + }, + { + "description": "Name of the computer where the detection occurred.\n", + "name": "ComputerName", + "type": "keyword" + }, + { + "description": "User name associated with the detection.\n", + "name": "UserName", + "type": "keyword" + }, + { + "description": "Name of the detection.\n", + "name": "DetectName", + "type": "keyword" + }, + { + "description": "Description of the detection.\n", + "name": "DetectDescription", + "type": "keyword" + }, + { + "description": "Severity score of the detection.\n", + "name": "Severity", + "type": "integer" + }, + { + "description": "Severity score text.\n", + "name": "SeverityName", + "type": "keyword" + }, + { + "description": "File name of the associated process for the detection.\n", + "name": "FileName", + "type": "keyword" + }, + { + "description": "Path of the executable associated with the detection.\n", + "name": "FilePath", + "type": "keyword" + }, + { + "description": "Executable path with command line arguments.\n", + "name": "CommandLine", + "type": "keyword" + }, + { + "description": "SHA1 sum of the executable associated with the detection.\n", + "name": "SHA1String", + "type": "keyword" + }, + { + "description": "SHA256 sum of the executable associated with the detection.\n", + "name": "SHA256String", + "type": "keyword" + }, + { + "description": "MD5 sum of the executable associated with the detection.\n", + "name": "MD5String", + "type": "keyword" + }, + { + "description": "Domain for the machine associated with the detection.\n", + "name": "MachineDomain", + "type": "keyword" + }, + { + "description": "URL to view the detection in Falcon.\n", + "name": "FalconHostLink", + "type": "keyword" + }, + { + "description": "Unique ID associated with the Falcon sensor.\n", + "name": "SensorId", + "type": "keyword" + }, + { + "description": "Unique ID associated with the detection.\n", + "name": "DetectId", + "type": "keyword" + }, + { + "description": "IP address of the host associated with the detection.\n", + "name": "LocalIP", + "type": "keyword" + }, + { + "description": "MAC address of the host associated with the detection.\n", + "name": "MACAddress", + "type": "keyword" + }, + { + "description": "MITRE tactic category of the detection.\n", + "name": "Tactic", + "type": "keyword" + }, + { + "description": "MITRE technique category of the detection.\n", + "name": "Technique", + "type": "keyword" + }, + { + "description": "Method of detection.\n", + "name": "Objective", + "type": "keyword" + }, + { + "description": "Action taken by Falcon.\n", + "name": "PatternDispositionDescription", + "type": "keyword" + }, + { + "description": "Unique ID associated with action taken.\n", + "name": "PatternDispositionValue", + "type": "integer" + }, + { + "description": "Flags indicating actions taken.\n", + "name": "PatternDispositionFlags", + "type": "object" + }, + { + "description": "Whether the incident summary is open and ongoing or closed.\n", + "name": "State", + "type": "keyword" + }, + { + "description": "Start time for the incident in UTC UNIX format.\n", + "name": "IncidentStartTime", + "type": "date" + }, + { + "description": "End time for the incident in UTC UNIX format.\n", + "name": "IncidentEndTime", + "type": "date" + }, + { + "description": "Score for incident.\n", + "name": "FineScore", + "type": "float" + }, + { + "description": "Email address or user ID associated with the event.\n", + "name": "UserId", + "type": "keyword" + }, + { + "description": "IP address associated with the user.\n", + "name": "UserIp", + "type": "keyword" + }, + { + "description": "Event subtype.\n", + "name": "OperationName", + "type": "keyword" + }, + { + "description": "Service associated with this event.\n", + "name": "ServiceName", + "type": "keyword" + }, + { + "description": "Indicator of whether or not this event was successful.\n", + "name": "Success", + "type": "boolean" + }, + { + "description": "Timestamp associated with this event in UTC UNIX format.\n", + "name": "UTCTimestamp", + "type": "date" + }, + { + "description": "Fields that were changed in this event.\n", + "name": "AuditKeyValues", + "type": "nested" + }, + { + "description": "Detected executables written to disk by a process.\n", + "name": "ExecutablesWritten", + "type": "nested" + }, + { + "description": "Session ID of the remote response session.\n", + "name": "SessionId", + "type": "keyword" + }, + { + "description": "Host name of the machine for the remote session.\n", + "name": "HostnameField", + "type": "keyword" + }, + { + "description": "Start time for the remote session in UTC UNIX format.\n", + "name": "StartTimestamp", + "type": "date" + }, + { + "description": "End time for the remote session in UTC UNIX format.\n", + "name": "EndTimestamp", + "type": "date" + }, + { + "description": "Lateral movement field for incident.\n", + "name": "LateralMovement", + "type": "long" + }, + { + "description": "Path to the parent process.\n", + "name": "ParentImageFileName", + "type": "keyword" + }, + { + "description": "Parent process command line arguments.\n", + "name": "ParentCommandLine", + "type": "keyword" + }, + { + "description": "Path to the grandparent process.\n", + "name": "GrandparentImageFileName", + "type": "keyword" + }, + { + "description": "Grandparent process command line arguments.\n", + "name": "GrandparentCommandLine", + "type": "keyword" + }, + { + "description": "CrowdStrike type for indicator of compromise.\n", + "name": "IOCType", + "type": "keyword" + }, + { + "description": "CrowdStrike value for indicator of compromise.\n", + "name": "IOCValue", + "type": "keyword" + }, + { + "description": "Customer identifier.\n", + "name": "CustomerId", + "type": "keyword" + }, + { + "description": "Device on which the event occurred.\n", + "name": "DeviceId", + "type": "keyword" + }, + { + "description": "Protocol for network request.\n", + "name": "Ipv", + "type": "keyword" + }, + { + "description": "Direction for network connection.\n", + "name": "ConnectionDirection", + "type": "keyword" + }, + { + "description": "CrowdStrike provided event type.\n", + "name": "EventType", + "type": "keyword" + }, + { + "description": "Host name of the local machine.\n", + "name": "HostName", + "type": "keyword" + }, + { + "description": "RFC2780 ICMP Code field.\n", + "name": "ICMPCode", + "type": "keyword" + }, + { + "description": "RFC2780 ICMP Type field.\n", + "name": "ICMPType", + "type": "keyword" + }, + { + "description": "File name of the associated process for the detection.\n", + "name": "ImageFileName", + "type": "keyword" + }, + { + "description": "Associated process id for the detection.\n", + "name": "PID", + "type": "long" + }, + { + "description": "IP address of local machine.\n", + "name": "LocalAddress", + "type": "ip" + }, + { + "description": "Port of local machine.\n", + "name": "LocalPort", + "type": "long" + }, + { + "description": "IP address of remote machine.\n", + "name": "RemoteAddress", + "type": "ip" + }, + { + "description": "Port of remote machine.\n", + "name": "RemotePort", + "type": "long" + }, + { + "description": "Firewall rule action.\n", + "name": "RuleAction", + "type": "keyword" + }, + { + "description": "Firewall rule description.\n", + "name": "RuleDescription", + "type": "keyword" + }, + { + "description": "Firewall rule family id.\n", + "name": "RuleFamilyID", + "type": "keyword" + }, + { + "description": "Firewall rule group name.\n", + "name": "RuleGroupName", + "type": "keyword" + }, + { + "description": "Firewall rule name.\n", + "name": "RuleName", + "type": "keyword" + }, + { + "description": "Firewall rule id.\n", + "name": "RuleId", + "type": "keyword" + }, + { + "description": "Number of firewall rule matches.\n", + "name": "MatchCount", + "type": "long" + }, + { + "description": "Number of firewall rule matches since the last report.\n", + "name": "MatchCountSinceLastReport", + "type": "long" + }, + { + "description": "Firewall rule triggered timestamp.\n", + "name": "Timestamp", + "type": "date" + }, + { + "description": "CrowdStrike audit flag.\n", + "name": "Flags.Audit", + "type": "boolean" + }, + { + "description": "CrowdStrike log flag.\n", + "name": "Flags.Log", + "type": "boolean" + }, + { + "description": "CrowdStrike monitor flag.\n", + "name": "Flags.Monitor", + "type": "boolean" + }, + { + "description": "CrowdStrike provided protocol.\n", + "name": "Protocol", + "type": "keyword" + }, + { + "description": "CrowdStrike network profile.\n", + "name": "NetworkProfile", + "type": "keyword" + }, + { + "description": "CrowdStrike policy name.\n", + "name": "PolicyName", + "type": "keyword" + }, + { + "description": "CrowdStrike policy id.\n", + "name": "PolicyID", + "type": "keyword" + }, + { + "description": "CrowdStrike status.\n", + "name": "Status", + "type": "keyword" + }, + { + "description": "CrowdStrike tree id.\n", + "name": "TreeID", + "type": "keyword" + }, + { + "description": "Commands run in a remote session.\n", + "name": "Commands", + "type": "keyword" + } + ], + "name": "event", + "title": "Event fields", + "type": "group" + } + ] + } + } + } + } + } + }, + "cylance": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "cylance", + "protect": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "cylance fields.\n", + "fields": null, + "key": "cylance", + "title": "CylanceProtect" + } + ] + } + }, + "protect": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "elasticsearch": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "audit": { + "enabled": true + }, + "deprecation": { + "enabled": true + }, + "gc": { + "enabled": true + }, + "module": "elasticsearch", + "server": { + "enabled": true + }, + "slowlog": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "elasticsearch Module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Elasticsearch component from where the log event originated", + "example": "o.e.c.m.MetaDataCreateIndexService", + "name": "component", + "type": "keyword" + }, + { + "description": "UUID of the cluster", + "example": "GmvrbHlNTiSVYiPf8kxg9g", + "name": "cluster.uuid", + "type": "keyword" + }, + { + "description": "Name of the cluster", + "example": "docker-cluster", + "name": "cluster.name", + "type": "keyword" + }, + { + "description": "ID of the node", + "example": "DSiWcTyeThWtUXLB9J0BMw", + "name": "node.id", + "type": "keyword" + }, + { + "description": "Name of the node", + "example": "vWNJsZ3", + "name": "node.name", + "type": "keyword" + }, + { + "description": "Index name", + "example": "filebeat-test-input", + "name": "index.name", + "type": "keyword" + }, + { + "description": "Index id", + "example": "aOGgDwbURfCV57AScqbCgw", + "name": "index.id", + "type": "keyword" + }, + { + "description": "Id of the shard", + "example": "0", + "name": "shard.id", + "type": "keyword" + } + ], + "name": "elasticsearch", + "type": "group" + } + ], + "key": "elasticsearch", + "title": "Elasticsearch" + } + ] + } + }, + "audit": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "", + "fields": [ + { + "description": "The layer from which this event originated: rest, transport or ip_filter", + "example": "rest", + "name": "layer", + "type": "keyword" + }, + { + "description": "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied", + "example": "access_granted", + "name": "event_type", + "type": "keyword" + }, + { + "description": "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)", + "example": "local_node", + "name": "origin.type", + "type": "keyword" + }, + { + "description": "The authentication realm the authentication was validated against", + "example\"": "default_file", + "name": "realm", + "type": "keyword" + }, + { + "description": "The user's authentication realm, if authenticated", + "example\"": "active_directory", + "name": "user.realm", + "type": "keyword" + }, + { + "description": "Roles to which the principal belongs", + "example": [ + "kibana_admin", + "beats_admin" + ], + "name": "user.roles", + "type": "keyword" + }, + { + "description": "The name of the action that was executed", + "example": "cluster:monitor/main", + "name": "action", + "type": "keyword" + }, + { + "description": "REST URI parameters", + "example": "{username=jacknich2}", + "name": "url.params" + }, + { + "description": "Indices accessed by action", + "example": [ + "foo-2019.01.04", + "foo-2019.01.03", + "foo-2019.01.06" + ], + "name": "indices", + "type": "keyword" + }, + { + "description": "Unique ID of request", + "example": "WzL_kb6VSvOhAq0twPvHOQ", + "name": "request.id", + "type": "keyword" + }, + { + "description": "The type of request that was executed", + "example": "ClearScrollRequest", + "name": "request.name", + "type": "keyword" + }, + { + "migration": true, + "name": "request_body", + "path": "http.request.body.content", + "type": "alias" + }, + { + "migration": true, + "name": "origin_address", + "path": "source.ip", + "type": "alias" + }, + { + "migration": true, + "name": "uri", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "principal", + "path": "user.name", + "type": "alias" + }, + { + "name": "message", + "type": "text" + } + ], + "name": "audit", + "type": "group" + } + ] + } + } + } + }, + "deprecation": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "", + "fields": null, + "name": "deprecation", + "type": "group" + } + ] + } + } + } + }, + "gc": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "GC fileset fields.\n", + "fields": [ + { + "description": "Fields specific to GC phase.\n", + "fields": [ + { + "description": "Name of the GC collection phase.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Collection phase duration according to the Java virtual machine.\n", + "name": "duration_sec", + "type": "float" + }, + { + "description": "Pause time in seconds cleaning up symbol tables.\n", + "name": "scrub_symbol_table_time_sec", + "type": "float" + }, + { + "description": "Pause time in seconds cleaning up string tables.\n", + "name": "scrub_string_table_time_sec", + "type": "float" + }, + { + "description": "Time spent processing weak references in seconds.\n", + "name": "weak_refs_processing_time_sec", + "type": "float" + }, + { + "description": "Time spent in seconds marking live objects while application is stopped.\n", + "name": "parallel_rescan_time_sec", + "type": "float" + }, + { + "description": "Time spent unloading unused classes in seconds.\n", + "name": "class_unload_time_sec", + "type": "float" + }, + { + "description": "Process CPU time spent performing collections.\n", + "fields": [ + { + "description": "CPU time spent outside the kernel.\n", + "name": "user_sec", + "type": "float" + }, + { + "description": "CPU time spent inside the kernel. \n", + "name": "sys_sec", + "type": "float" + }, + { + "description": "Total elapsed CPU time spent to complete the collection from start to finish.\n", + "name": "real_sec", + "type": "float" + } + ], + "name": "cpu_time", + "type": "group" + } + ], + "name": "phase", + "type": "group" + }, + { + "description": "The time from JVM start up in seconds, as a floating point number.\n", + "name": "jvm_runtime_sec", + "type": "float" + }, + { + "description": "Garbage collection threads total stop time seconds.\n", + "name": "threads_total_stop_time_sec", + "type": "float" + }, + { + "description": "Time took to stop threads seconds.\n", + "name": "stopping_threads_time_sec", + "type": "float" + }, + { + "description": "GC logging tags.\n", + "name": "tags", + "type": "keyword" + }, + { + "description": "Heap allocation and total size.\n", + "fields": [ + { + "description": "Total heap size in kilobytes.\n", + "name": "size_kb", + "type": "integer" + }, + { + "description": "Used heap in kilobytes.\n", + "name": "used_kb", + "type": "integer" + } + ], + "name": "heap", + "type": "group" + }, + { + "description": "Old generation occupancy and total size.\n", + "fields": [ + { + "description": "Total size of old generation in kilobytes.\n", + "name": "size_kb", + "type": "integer" + }, + { + "description": "Old generation occupancy in kilobytes.\n", + "name": "used_kb", + "type": "integer" + } + ], + "name": "old_gen", + "type": "group" + }, + { + "description": "Young generation occupancy and total size.\n", + "fields": [ + { + "description": "Total size of young generation in kilobytes.\n", + "name": "size_kb", + "type": "integer" + }, + { + "description": "Young generation occupancy in kilobytes.\n", + "name": "used_kb", + "type": "integer" + } + ], + "name": "young_gen", + "type": "group" + } + ], + "name": "gc", + "type": "group" + } + ] + } + } + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Server log file", + "fields": [ + { + "description\"": "Stack trace in case of errors", + "index": false, + "name": "stacktrace" + }, + { + "description": "GC log", + "fields": [ + { + "description": "Young GC", + "example": "", + "fields": [ + { + "description": "", + "example": "", + "name": "one", + "type": "long" + }, + { + "description": "", + "example": "", + "name": "two", + "type": "long" + } + ], + "name": "young", + "type": "group" + }, + { + "description": "Sequence number", + "example": 3449992, + "name": "overhead_seq", + "type": "long" + }, + { + "description": "Time spent in GC, in milliseconds", + "example": 1600, + "name": "collection_duration.ms", + "type": "float" + }, + { + "description": "Total time over which collection was observed, in milliseconds", + "example": 1800, + "name": "observation_duration.ms", + "type": "float" + } + ], + "name": "gc", + "type": "group" + } + ], + "name": "server", + "type": "group" + } + ] + } + } + } + }, + "slowlog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Slowlog events from Elasticsearch", + "example": "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],", + "fields": [ + { + "description": "Logger name", + "example": "index.search.slowlog.fetch", + "name": "logger", + "type": "keyword" + }, + { + "description": "Time it took to execute the query", + "example": "300ms", + "name": "took", + "type": "keyword" + }, + { + "description": "Types", + "example": "", + "name": "types", + "type": "keyword" + }, + { + "description": "Stats groups", + "example": "group1", + "name": "stats", + "type": "keyword" + }, + { + "description": "Search type", + "example": "QUERY_THEN_FETCH", + "name": "search_type", + "type": "keyword" + }, + { + "description": "Slow query", + "example": "{\"query\":{\"match_all\":{\"boost\":1.0}}}", + "name": "source_query", + "type": "keyword" + }, + { + "description": "Extra source information", + "example": "", + "name": "extra_source", + "type": "keyword" + }, + { + "description": "Total hits", + "example": 42, + "name": "total_hits", + "type": "keyword" + }, + { + "description": "Total queried shards", + "example": 22, + "name": "total_shards", + "type": "keyword" + }, + { + "description": "Routing", + "example": "s01HZ2QBk9jw4gtgaFtn", + "name": "routing", + "type": "keyword" + }, + { + "description": "Id", + "example": "", + "name": "id", + "type": "keyword" + }, + { + "description": "Type", + "example": "doc", + "name": "type", + "type": "keyword" + }, + { + "description": "Source of document that was indexed", + "name": "source", + "type": "keyword" + } + ], + "name": "slowlog", + "type": "group" + } + ] + } + } + } + } + } + }, + "envoyproxy": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "envoyproxy" + } + ], + "fields.yml": [ + { + "description": "Module for handling logs produced by envoy\n", + "fields": [ + { + "description": "Fields from envoy proxy logs after normalization\n", + "fields": [ + { + "description": "Envoy log type, normally ACCESS\n", + "name": "log_type", + "type": "keyword" + }, + { + "description": "Response flags\n", + "name": "response_flags", + "type": "keyword" + }, + { + "description": "Upstream service time in nanoseconds\n", + "format": "duration", + "input_format": "nanoseconds", + "name": "upstream_service_time", + "type": "long" + }, + { + "description": "ID of the request\n", + "name": "request_id", + "type": "keyword" + }, + { + "description": "Envoy proxy authority field\n", + "name": "authority", + "type": "keyword" + }, + { + "description": "Envoy proxy type, tcp or http\n", + "name": "proxy_type", + "type": "keyword" + } + ], + "name": "envoyproxy", + "type": "group" + } + ], + "key": "envoyproxy", + "title": "Envoyproxy" + } + ] + } + } + } + }, + "f5": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "bigipapm": { + "enabled": true + }, + "module": "f5" + } + ], + "fields.yml": [ + { + "description": "f5 fields.\n", + "fields": null, + "key": "f5", + "title": "Big-IP Access Policy Manager" + } + ] + } + }, + "bigipapm": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "fortinet": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "clientendpoint": { + "enabled": true + }, + "firewall": { + "enabled": true + }, + "module": "fortinet" + } + ], + "fields.yml": [ + { + "description": "fortinet Module\n", + "fields": null, + "key": "fortinet", + "title": "Fortinet" + } + ] + } + }, + "clientendpoint": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + }, + "firewall": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from fortinet FortiOS\n", + "fields": [ + { + "description": "CRC32 Hash of file\n", + "name": "file.hash.crc32", + "type": "keyword" + }, + { + "default_field": false, + "description": "Module for parsing Fortinet syslog.\n", + "fields": [ + { + "description": "Accounting state (RADIUS)\n", + "name": "acct_stat", + "type": "keyword" + }, + { + "description": "Alarm Acknowledge Time\n", + "name": "acktime", + "type": "keyword" + }, + { + "description": "Action\n", + "name": "act", + "type": "keyword" + }, + { + "description": "Status of the session\n", + "name": "action", + "type": "keyword" + }, + { + "description": "HA activity message\n", + "name": "activity", + "type": "keyword" + }, + { + "description": "IP Address\n", + "name": "addr", + "type": "ip" + }, + { + "description": "Address Type\n", + "name": "addr_type", + "type": "keyword" + }, + { + "description": "Address Group\n", + "name": "addrgrp", + "type": "keyword" + }, + { + "description": "AD Group Name\n", + "name": "adgroup", + "type": "keyword" + }, + { + "description": "Admin User\n", + "name": "admin", + "type": "keyword" + }, + { + "description": "Time in seconds - time passed since last seen\n", + "name": "age", + "type": "integer" + }, + { + "description": "User agent - eg. agent=\"Mozilla/5.0\"\n", + "name": "agent", + "type": "keyword" + }, + { + "description": "Alarm ID\n", + "name": "alarmid", + "type": "integer" + }, + { + "description": "Alert\n", + "name": "alert", + "type": "keyword" + }, + { + "description": "The checksum of the file submitted for analytics\n", + "name": "analyticscksum", + "type": "keyword" + }, + { + "description": "The flag for analytics submission\n", + "name": "analyticssubmit", + "type": "keyword" + }, + { + "description": "Access Point\n", + "name": "ap", + "type": "keyword" + }, + { + "description": "Address Type\n", + "name": "app-type", + "type": "keyword" + }, + { + "description": "The security action from app control\n", + "name": "appact", + "type": "keyword" + }, + { + "description": "Application ID\n", + "name": "appid", + "type": "integer" + }, + { + "description": "Application Control profile\n", + "name": "applist", + "type": "keyword" + }, + { + "description": "Application Risk Level\n", + "name": "apprisk", + "type": "keyword" + }, + { + "description": "The name of the AP, which scanned and detected the rogue AP\n", + "name": "apscan", + "type": "keyword" + }, + { + "description": "Access Point\n", + "name": "apsn", + "type": "keyword" + }, + { + "description": "Access Point status\n", + "name": "apstatus", + "type": "keyword" + }, + { + "description": "Access Point type\n", + "name": "aptype", + "type": "keyword" + }, + { + "description": "Assigned IP Address\n", + "name": "assigned", + "type": "ip" + }, + { + "description": "Assigned IP Address\n", + "name": "assignip", + "type": "ip" + }, + { + "description": "The flag for email attachement\n", + "name": "attachment", + "type": "keyword" + }, + { + "description": "Attack Name\n", + "name": "attack", + "type": "keyword" + }, + { + "description": "The trigger patterns and the packetdata with base64 encoding\n", + "name": "attackcontext", + "type": "keyword" + }, + { + "description": "Attack context id / total\n", + "name": "attackcontextid", + "type": "keyword" + }, + { + "description": "Attack ID\n", + "name": "attackid", + "type": "integer" + }, + { + "description": "Audit ID\n", + "name": "auditid", + "type": "long" + }, + { + "description": "The Audit Score\n", + "name": "auditscore", + "type": "keyword" + }, + { + "description": "The time of the audit\n", + "name": "audittime", + "type": "long" + }, + { + "description": "Authorization Group\n", + "name": "authgrp", + "type": "keyword" + }, + { + "description": "Authentication ID\n", + "name": "authid", + "type": "keyword" + }, + { + "description": "The protocol that initiated the authentication\n", + "name": "authproto", + "type": "keyword" + }, + { + "description": "Authentication server\n", + "name": "authserver", + "type": "keyword" + }, + { + "description": "Bandwidth\n", + "name": "bandwidth", + "type": "keyword" + }, + { + "description": "NAC quarantine Banned Rule Name\n", + "name": "banned_rule", + "type": "keyword" + }, + { + "description": "NAC quarantine Banned Source IP\n", + "name": "banned_src", + "type": "keyword" + }, + { + "description": "Banned word\n", + "name": "banword", + "type": "keyword" + }, + { + "description": "Botnet Domain Name\n", + "name": "botnetdomain", + "type": "keyword" + }, + { + "description": "Botnet IP Address\n", + "name": "botnetip", + "type": "ip" + }, + { + "description": "Service Set ID\n", + "name": "bssid", + "type": "keyword" + }, + { + "description": "Caller ID\n", + "name": "call_id", + "type": "keyword" + }, + { + "description": "The FortiOS Carrier end-point identification\n", + "name": "carrier_ep", + "type": "keyword" + }, + { + "description": "DNS category ID\n", + "name": "cat", + "type": "integer" + }, + { + "description": "Authentication category\n", + "name": "category", + "type": "keyword" + }, + { + "description": "CC Email Address\n", + "name": "cc", + "type": "keyword" + }, + { + "description": "Cdrcontent\n", + "name": "cdrcontent", + "type": "keyword" + }, + { + "description": "Central NAT ID\n", + "name": "centralnatid", + "type": "integer" + }, + { + "description": "Certificate\n", + "name": "cert", + "type": "keyword" + }, + { + "description": "Certificate type\n", + "name": "cert-type", + "type": "keyword" + }, + { + "description": "Certificate hash\n", + "name": "certhash", + "type": "keyword" + }, + { + "description": "Configuration attribute\n", + "name": "cfgattr", + "type": "keyword" + }, + { + "description": "Configuration object\n", + "name": "cfgobj", + "type": "keyword" + }, + { + "description": "Configuration path\n", + "name": "cfgpath", + "type": "keyword" + }, + { + "description": "Configuration transaction ID\n", + "name": "cfgtid", + "type": "keyword" + }, + { + "description": "Configuration TX power\n", + "name": "cfgtxpower", + "type": "integer" + }, + { + "description": "Wireless Channel\n", + "name": "channel", + "type": "integer" + }, + { + "description": "SSH channel type\n", + "name": "channeltype", + "type": "keyword" + }, + { + "description": "Chassis ID\n", + "name": "chassisid", + "type": "integer" + }, + { + "description": "The checksum of the scanned file\n", + "name": "checksum", + "type": "keyword" + }, + { + "description": "HTTP Headers\n", + "name": "chgheaders", + "type": "keyword" + }, + { + "description": "Connector object ID\n", + "name": "cldobjid", + "type": "keyword" + }, + { + "description": "Wifi client address\n", + "name": "client_addr", + "type": "keyword" + }, + { + "description": "Cloud Action\n", + "name": "cloudaction", + "type": "keyword" + }, + { + "description": "Cloud User\n", + "name": "clouduser", + "type": "keyword" + }, + { + "description": "VOIP Column\n", + "name": "column", + "type": "integer" + }, + { + "description": "CLI Command\n", + "name": "command", + "type": "keyword" + }, + { + "description": "SNMP Community\n", + "name": "community", + "type": "keyword" + }, + { + "description": "Configuration country\n", + "name": "configcountry", + "type": "keyword" + }, + { + "description": "FortiClient Connection Type\n", + "name": "connection_type", + "type": "keyword" + }, + { + "description": "Flag for conserve mode\n", + "name": "conserve", + "type": "keyword" + }, + { + "description": "WAF http protocol restrictions\n", + "name": "constraint", + "type": "keyword" + }, + { + "description": "Email scanned content\n", + "name": "contentdisarmed", + "type": "keyword" + }, + { + "description": "Content Type from HTTP header\n", + "name": "contenttype", + "type": "keyword" + }, + { + "description": "VPN Cookie\n", + "name": "cookies", + "type": "keyword" + }, + { + "description": "Counts of action type\n", + "name": "count", + "type": "integer" + }, + { + "description": "Number of App Ctrl logs associated with the session\n", + "name": "countapp", + "type": "integer" + }, + { + "description": "Number of AV logs associated with the session\n", + "name": "countav", + "type": "integer" + }, + { + "description": "Number of CIFS logs associated with the session\n", + "name": "countcifs", + "type": "integer" + }, + { + "description": "Number of DLP logs associated with the session\n", + "name": "countdlp", + "type": "integer" + }, + { + "description": "Number of DNS logs associated with the session\n", + "name": "countdns", + "type": "integer" + }, + { + "description": "Number of email logs associated with the session\n", + "name": "countemail", + "type": "integer" + }, + { + "description": "Number of ff logs associated with the session\n", + "name": "countff", + "type": "integer" + }, + { + "description": "Number of IPS logs associated with the session\n", + "name": "countips", + "type": "integer" + }, + { + "description": "Number of SSH logs associated with the session\n", + "name": "countssh", + "type": "integer" + }, + { + "description": "Number of SSL logs associated with the session\n", + "name": "countssl", + "type": "integer" + }, + { + "description": "Number of WAF logs associated with the session\n", + "name": "countwaf", + "type": "integer" + }, + { + "description": "Number of Web filter logs associated with the session\n", + "name": "countweb", + "type": "integer" + }, + { + "description": "CPU Usage\n", + "name": "cpu", + "type": "integer" + }, + { + "description": "Client Reputation Action\n", + "name": "craction", + "type": "integer" + }, + { + "description": "Number of critical ratings\n", + "name": "criticalcount", + "type": "integer" + }, + { + "description": "Client Reputation Level\n", + "name": "crl", + "type": "keyword" + }, + { + "description": "Client Reputation Level\n", + "name": "crlevel", + "type": "keyword" + }, + { + "description": "Some description\n", + "name": "crscore", + "type": "integer" + }, + { + "description": "CVE ID\n", + "name": "cveid", + "type": "keyword" + }, + { + "description": "Daemon name\n", + "name": "daemon", + "type": "keyword" + }, + { + "description": "Data range for reports\n", + "name": "datarange", + "type": "keyword" + }, + { + "description": "Date\n", + "name": "date", + "type": "keyword" + }, + { + "description": "DDNS server\n", + "name": "ddnsserver", + "type": "ip" + }, + { + "description": "Description\n", + "name": "desc", + "type": "keyword" + }, + { + "description": "Detection method\n", + "name": "detectionmethod", + "type": "keyword" + }, + { + "description": "Device category\n", + "name": "devcategory", + "type": "keyword" + }, + { + "description": "HA device Interface Name\n", + "name": "devintfname", + "type": "keyword" + }, + { + "description": "Device type\n", + "name": "devtype", + "type": "keyword" + }, + { + "description": "DHCP Message\n", + "name": "dhcp_msg", + "type": "keyword" + }, + { + "description": "Destination interface\n", + "name": "dintf", + "type": "keyword" + }, + { + "description": "Assosciated disk\n", + "name": "disk", + "type": "keyword" + }, + { + "description": "Disk logging rate\n", + "name": "disklograte", + "type": "long" + }, + { + "description": "DLP extra information\n", + "name": "dlpextra", + "type": "keyword" + }, + { + "description": "DLP fingerprint document source\n", + "name": "docsource", + "type": "keyword" + }, + { + "description": "CIFS domain auth state\n", + "name": "domainctrlauthstate", + "type": "integer" + }, + { + "description": "CIFS domain auth type\n", + "name": "domainctrlauthtype", + "type": "integer" + }, + { + "description": "CIFS domain auth domain\n", + "name": "domainctrldomain", + "type": "keyword" + }, + { + "description": "CIFS Domain IP\n", + "name": "domainctrlip", + "type": "ip" + }, + { + "description": "CIFS Domain name\n", + "name": "domainctrlname", + "type": "keyword" + }, + { + "description": "CIFS Domain connection protocol\n", + "name": "domainctrlprotocoltype", + "type": "integer" + }, + { + "description": "CIFS Domain username\n", + "name": "domainctrlusername", + "type": "keyword" + }, + { + "description": "Domain filter ID\n", + "name": "domainfilteridx", + "type": "integer" + }, + { + "description": "Domain filter name\n", + "name": "domainfilterlist", + "type": "keyword" + }, + { + "description": "Direction with distribution system\n", + "name": "ds", + "type": "keyword" + }, + { + "description": "Destination interface\n", + "name": "dst_int", + "type": "keyword" + }, + { + "description": "Destination interface role\n", + "name": "dstintfrole", + "type": "keyword" + }, + { + "description": "Destination country\n", + "name": "dstcountry", + "type": "keyword" + }, + { + "description": "Destination device category\n", + "name": "dstdevcategory", + "type": "keyword" + }, + { + "description": "Destination device type\n", + "name": "dstdevtype", + "type": "keyword" + }, + { + "description": "Destination OS family\n", + "name": "dstfamily", + "type": "keyword" + }, + { + "description": "Destination HW vendor\n", + "name": "dsthwvendor", + "type": "keyword" + }, + { + "description": "Destination HW version\n", + "name": "dsthwversion", + "type": "keyword" + }, + { + "description": "Destination interface service\n", + "name": "dstinetsvc", + "type": "keyword" + }, + { + "description": "Destination OS name\n", + "name": "dstosname", + "type": "keyword" + }, + { + "description": "Destination OS version\n", + "name": "dstosversion", + "type": "keyword" + }, + { + "description": "Destination server\n", + "name": "dstserver", + "type": "integer" + }, + { + "description": "Destination SSID\n", + "name": "dstssid", + "type": "keyword" + }, + { + "description": "Destination software version\n", + "name": "dstswversion", + "type": "keyword" + }, + { + "description": "Destination unauthenticated source\n", + "name": "dstunauthusersource", + "type": "keyword" + }, + { + "description": "UUID of the Destination IP address\n", + "name": "dstuuid", + "type": "keyword" + }, + { + "description": "DHCP UID\n", + "name": "duid", + "type": "keyword" + }, + { + "description": "EAPOL packet count\n", + "name": "eapolcnt", + "type": "integer" + }, + { + "description": "EAPOL packet type\n", + "name": "eapoltype", + "type": "keyword" + }, + { + "description": "Whether the packet is encrypted or not\n", + "name": "encrypt", + "type": "integer" + }, + { + "description": "Encryption method\n", + "name": "encryption", + "type": "keyword" + }, + { + "description": "Epoch used for locating file\n", + "name": "epoch", + "type": "integer" + }, + { + "description": "ESP Authentication\n", + "name": "espauth", + "type": "keyword" + }, + { + "description": "ESP Transform\n", + "name": "esptransform", + "type": "keyword" + }, + { + "description": "Mail Exchanges from DNS response answer section\n", + "name": "exch", + "type": "keyword" + }, + { + "description": "Mail Exchanges from DNS response answer section\n", + "name": "exchange", + "type": "keyword" + }, + { + "description": "Expected SSL signature\n", + "name": "expectedsignature", + "type": "keyword" + }, + { + "description": "FortiGuard override expiry timestamp\n", + "name": "expiry", + "type": "keyword" + }, + { + "description": "Fortinet Analysis and Management Service Pause\n", + "name": "fams_pause", + "type": "integer" + }, + { + "description": "FortiAnalyzer Logging Rate\n", + "name": "fazlograte", + "type": "long" + }, + { + "description": "FortiClient Endpoint SSN\n", + "name": "fctemssn", + "type": "keyword" + }, + { + "description": "FortiClient UID\n", + "name": "fctuid", + "type": "keyword" + }, + { + "description": "NTP status field\n", + "name": "field", + "type": "keyword" + }, + { + "description": "The filter used to identify the affected file\n", + "name": "filefilter", + "type": "keyword" + }, + { + "description": "Filehash source\n", + "name": "filehashsrc", + "type": "keyword" + }, + { + "description": "DLP filter category\n", + "name": "filtercat", + "type": "keyword" + }, + { + "description": "DLP filter ID\n", + "name": "filteridx", + "type": "integer" + }, + { + "description": "DLP rule name\n", + "name": "filtername", + "type": "keyword" + }, + { + "description": "DLP filter type\n", + "name": "filtertype", + "type": "keyword" + }, + { + "description": "Antispam ESP value\n", + "name": "fortiguardresp", + "type": "keyword" + }, + { + "description": "Email address forwarded\n", + "name": "forwardedfor", + "type": "keyword" + }, + { + "description": "FQDN\n", + "name": "fqdn", + "type": "keyword" + }, + { + "description": "Wireless frametype\n", + "name": "frametype", + "type": "keyword" + }, + { + "description": "Free disk integer\n", + "name": "freediskstorage", + "type": "integer" + }, + { + "description": "From email address\n", + "name": "from", + "type": "keyword" + }, + { + "description": "Source virtual cluster number\n", + "name": "from_vcluster", + "type": "integer" + }, + { + "description": "FSA verdict\n", + "name": "fsaverdict", + "type": "keyword" + }, + { + "description": "Web proxy server name\n", + "name": "fwserver_name", + "type": "keyword" + }, + { + "description": "Gateway ip address for PPPoE status report\n", + "name": "gateway", + "type": "ip" + }, + { + "description": "Memory status\n", + "name": "green", + "type": "keyword" + }, + { + "description": "User Group ID\n", + "name": "groupid", + "type": "integer" + }, + { + "description": "HA Priority\n", + "name": "ha-prio", + "type": "integer" + }, + { + "description": "HA Group\n", + "name": "ha_group", + "type": "keyword" + }, + { + "description": "HA Role\n", + "name": "ha_role", + "type": "keyword" + }, + { + "description": "SSL Handshake\n", + "name": "handshake", + "type": "keyword" + }, + { + "description": "Hash value of downloaded file\n", + "name": "hash", + "type": "keyword" + }, + { + "description": "Heartbeat down reason\n", + "name": "hbdn_reason", + "type": "keyword" + }, + { + "description": "Highcount fabric summary\n", + "name": "highcount", + "type": "integer" + }, + { + "description": "Hostname\n", + "name": "host", + "type": "keyword" + }, + { + "description": "DHCPv6 id\n", + "name": "iaid", + "type": "keyword" + }, + { + "description": "Destination Port of the ICMP message\n", + "name": "icmpcode", + "type": "keyword" + }, + { + "description": "Source port of the ICMP message\n", + "name": "icmpid", + "type": "keyword" + }, + { + "description": "The type of ICMP message\n", + "name": "icmptype", + "type": "keyword" + }, + { + "description": "Network traffic identifier\n", + "name": "identifier", + "type": "integer" + }, + { + "description": "IPSEC inbound SPI\n", + "name": "in_spi", + "type": "keyword" + }, + { + "description": "Incident serial number\n", + "name": "incidentserialno", + "type": "integer" + }, + { + "description": "Infected MMS\n", + "name": "infected", + "type": "integer" + }, + { + "description": "DLP infected file level\n", + "name": "infectedfilelevel", + "type": "integer" + }, + { + "description": "Information source\n", + "name": "informationsource", + "type": "keyword" + }, + { + "description": "IPSEC init stage\n", + "name": "init", + "type": "keyword" + }, + { + "description": "Original login user name for Fortiguard override\n", + "name": "initiator", + "type": "keyword" + }, + { + "description": "Related interface\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Related interface\n", + "name": "intf", + "type": "keyword" + }, + { + "description": "The MAC address with invalid OUI\n", + "name": "invalidmac", + "type": "keyword" + }, + { + "description": "Related IP\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Related IP type\n", + "name": "iptype", + "type": "keyword" + }, + { + "description": "Keyword used for search\n", + "name": "keyword", + "type": "keyword" + }, + { + "description": "VOIP kind\n", + "name": "kind", + "type": "keyword" + }, + { + "description": "LAN incoming traffic in bytes\n", + "name": "lanin", + "type": "long" + }, + { + "description": "LAN outbound traffic in bytes\n", + "name": "lanout", + "type": "long" + }, + { + "description": "DHCP lease\n", + "name": "lease", + "type": "integer" + }, + { + "description": "Maximum Number of FortiClients for the License\n", + "name": "license_limit", + "type": "keyword" + }, + { + "description": "Virtual Domain Resource Limit\n", + "name": "limit", + "type": "integer" + }, + { + "description": "VOIP line\n", + "name": "line", + "type": "keyword" + }, + { + "description": "Time in seconds\n", + "name": "live", + "type": "integer" + }, + { + "description": "Local IP for a PPPD Connection\n", + "name": "local", + "type": "ip" + }, + { + "description": "Log message\n", + "name": "log", + "type": "keyword" + }, + { + "description": "SSH login\n", + "name": "login", + "type": "keyword" + }, + { + "description": "Fabric lowcount\n", + "name": "lowcount", + "type": "integer" + }, + { + "description": "DHCP mac address\n", + "name": "mac", + "type": "keyword" + }, + { + "description": "VOIP malformed data\n", + "name": "malform_data", + "type": "integer" + }, + { + "description": "VOIP malformed data description\n", + "name": "malform_desc", + "type": "keyword" + }, + { + "description": "Manufacturer name\n", + "name": "manuf", + "type": "keyword" + }, + { + "description": "Master mac address for a host with multiple network interfaces\n", + "name": "masterdstmac", + "type": "keyword" + }, + { + "description": "The master MAC address for a host that has multiple network interfaces\n", + "name": "mastersrcmac", + "type": "keyword" + }, + { + "description": "Fabric medium count\n", + "name": "mediumcount", + "type": "integer" + }, + { + "description": "Memory usage system statistics\n", + "name": "mem", + "type": "keyword" + }, + { + "description": "Wireless mesh mode\n", + "name": "meshmode", + "type": "keyword" + }, + { + "description": "VOIP message type\n", + "name": "message_type", + "type": "keyword" + }, + { + "description": "HTTP method\n", + "name": "method", + "type": "keyword" + }, + { + "description": "The number of unauthorized client flooding managemet frames\n", + "name": "mgmtcnt", + "type": "integer" + }, + { + "description": "IPSEC mode\n", + "name": "mode", + "type": "keyword" + }, + { + "description": "PCI-DSS module\n", + "name": "module", + "type": "keyword" + }, + { + "description": "Health Monitor Name\n", + "name": "monitor-name", + "type": "keyword" + }, + { + "description": "Health Monitor Type\n", + "name": "monitor-type", + "type": "keyword" + }, + { + "description": "Wireless MPSK\n", + "name": "mpsk", + "type": "keyword" + }, + { + "description": "Message Protocol Number\n", + "name": "msgproto", + "type": "keyword" + }, + { + "description": "Max Transmission Unit Value\n", + "name": "mtu", + "type": "integer" + }, + { + "description": "Name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "NAT IP Address\n", + "name": "nat", + "type": "keyword" + }, + { + "description": "Connector NetID\n", + "name": "netid", + "type": "keyword" + }, + { + "description": "New status on user change\n", + "name": "new_status", + "type": "keyword" + }, + { + "description": "New Virtual Domain Name\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "New Channel Number\n", + "name": "newchannel", + "type": "integer" + }, + { + "description": "New Chassis ID\n", + "name": "newchassisid", + "type": "integer" + }, + { + "description": "New Slot Number\n", + "name": "newslot", + "type": "integer" + }, + { + "description": "Time interval in seconds for the next statistics.\n", + "name": "nextstat", + "type": "integer" + }, + { + "description": "Notification Type\n", + "name": "nf_type", + "type": "keyword" + }, + { + "description": "Wifi Noise\n", + "name": "noise", + "type": "integer" + }, + { + "description": "Original Status\n", + "name": "old_status", + "type": "keyword" + }, + { + "description": "Original Virtual Domain name\n", + "name": "old_value", + "type": "keyword" + }, + { + "description": "Original channel\n", + "name": "oldchannel", + "type": "integer" + }, + { + "description": "Original Chassis Number\n", + "name": "oldchassisid", + "type": "integer" + }, + { + "description": "Original Slot Number\n", + "name": "oldslot", + "type": "integer" + }, + { + "description": "Old Serial number\n", + "name": "oldsn", + "type": "keyword" + }, + { + "description": "Old Web Filter Profile\n", + "name": "oldwprof", + "type": "keyword" + }, + { + "description": "A flag to indicate if the AP is onwire or not\n", + "name": "onwire", + "type": "keyword" + }, + { + "description": "Operating Country\n", + "name": "opercountry", + "type": "keyword" + }, + { + "description": "Operating TX power\n", + "name": "opertxpower", + "type": "integer" + }, + { + "description": "Operating System name\n", + "name": "osname", + "type": "keyword" + }, + { + "description": "Operating System version\n", + "name": "osversion", + "type": "keyword" + }, + { + "description": "Out SPI\n", + "name": "out_spi", + "type": "keyword" + }, + { + "description": "Out interface\n", + "name": "outintf", + "type": "keyword" + }, + { + "description": "Fabric passed count\n", + "name": "passedcount", + "type": "integer" + }, + { + "description": "Changed user password information\n", + "name": "passwd", + "type": "keyword" + }, + { + "description": "Path of looped configuration for security fabric\n", + "name": "path", + "type": "keyword" + }, + { + "description": "WAN optimization peer\n", + "name": "peer", + "type": "keyword" + }, + { + "description": "VPN peer notification\n", + "name": "peer_notif", + "type": "keyword" + }, + { + "description": "VPN phase2 name\n", + "name": "phase2_name", + "type": "keyword" + }, + { + "description": "VOIP Phone\n", + "name": "phone", + "type": "keyword" + }, + { + "description": "Process ID\n", + "name": "pid", + "type": "integer" + }, + { + "description": "Policy Type\n", + "name": "policytype", + "type": "keyword" + }, + { + "description": "IP Pool name\n", + "name": "poolname", + "type": "keyword" + }, + { + "description": "Log upload error port\n", + "name": "port", + "type": "integer" + }, + { + "description": "IP Pool port number to begin\n", + "name": "portbegin", + "type": "integer" + }, + { + "description": "IP Pool port number to end\n", + "name": "portend", + "type": "integer" + }, + { + "description": "Link Monitor Probe Protocol\n", + "name": "probeproto", + "type": "keyword" + }, + { + "description": "URL Filter process\n", + "name": "process", + "type": "keyword" + }, + { + "description": "Process time for reports\n", + "name": "processtime", + "type": "integer" + }, + { + "description": "Profile Name\n", + "name": "profile", + "type": "keyword" + }, + { + "description": "Virtual Domain Name\n", + "name": "profile_vd", + "type": "keyword" + }, + { + "description": "Profile Group Name\n", + "name": "profilegroup", + "type": "keyword" + }, + { + "description": "Profile Type\n", + "name": "profiletype", + "type": "keyword" + }, + { + "description": "DNS question type value\n", + "name": "qtypeval", + "type": "integer" + }, + { + "description": "Quarantine skip explanation\n", + "name": "quarskip", + "type": "keyword" + }, + { + "description": "If quota has been exceeded\n", + "name": "quotaexceeded", + "type": "keyword" + }, + { + "description": "Maximum quota allowed - in seconds if time-based - in bytes if traffic-based\n", + "name": "quotamax", + "type": "long" + }, + { + "description": "Quota type\n", + "name": "quotatype", + "type": "keyword" + }, + { + "description": "Quota used - in seconds if time-based - in bytes if trafficbased)\n", + "name": "quotaused", + "type": "long" + }, + { + "description": "Radio band\n", + "name": "radioband", + "type": "keyword" + }, + { + "description": "Radio ID\n", + "name": "radioid", + "type": "integer" + }, + { + "description": "Radio ID on the AP closest the rogue AP\n", + "name": "radioidclosest", + "type": "integer" + }, + { + "description": "Radio ID on the AP which detected the rogue AP\n", + "name": "radioiddetected", + "type": "integer" + }, + { + "description": "Wireless rogue rate value\n", + "name": "rate", + "type": "keyword" + }, + { + "description": "Raw data value\n", + "name": "rawdata", + "type": "keyword" + }, + { + "description": "Raw data ID\n", + "name": "rawdataid", + "type": "keyword" + }, + { + "description": "Received bytes delta\n", + "name": "rcvddelta", + "type": "keyword" + }, + { + "description": "Alert reason\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "Server key exchange received\n", + "name": "received", + "type": "integer" + }, + { + "description": "Server key exchange received signature\n", + "name": "receivedsignature", + "type": "keyword" + }, + { + "description": "Memory information in red\n", + "name": "red", + "type": "keyword" + }, + { + "description": "Web filter referralurl\n", + "name": "referralurl", + "type": "keyword" + }, + { + "description": "Remote PPP IP address\n", + "name": "remote", + "type": "ip" + }, + { + "description": "Remote Wifi Radius authentication time\n", + "name": "remotewtptime", + "type": "keyword" + }, + { + "description": "Report type\n", + "name": "reporttype", + "type": "keyword" + }, + { + "description": "Request type\n", + "name": "reqtype", + "type": "keyword" + }, + { + "description": "VOIP request name\n", + "name": "request_name", + "type": "keyword" + }, + { + "description": "VPN phase result\n", + "name": "result", + "type": "keyword" + }, + { + "description": "VPN Phase 2 role\n", + "name": "role", + "type": "keyword" + }, + { + "description": "Received signal strength indicator\n", + "name": "rssi", + "type": "integer" + }, + { + "description": "RADIUS SSO attribute value\n", + "name": "rsso_key", + "type": "keyword" + }, + { + "description": "Rule data\n", + "name": "ruledata", + "type": "keyword" + }, + { + "description": "Rule type\n", + "name": "ruletype", + "type": "keyword" + }, + { + "description": "Number of Scanned MMSs\n", + "name": "scanned", + "type": "integer" + }, + { + "description": "Scanned time\n", + "name": "scantime", + "type": "long" + }, + { + "description": "FortiGuard Override Scope\n", + "name": "scope", + "type": "keyword" + }, + { + "description": "Wireless rogue security\n", + "name": "security", + "type": "keyword" + }, + { + "description": "Sensitivity for document fingerprint\n", + "name": "sensitivity", + "type": "keyword" + }, + { + "description": "NAC Sensor Name\n", + "name": "sensor", + "type": "keyword" + }, + { + "description": "Sent bytes delta\n", + "name": "sentdelta", + "type": "keyword" + }, + { + "description": "Sequence number\n", + "name": "seq", + "type": "keyword" + }, + { + "description": "WAN optimisation serial\n", + "name": "serial", + "type": "keyword" + }, + { + "description": "Serial number\n", + "name": "serialno", + "type": "keyword" + }, + { + "description": "AD server FQDN or IP\n", + "name": "server", + "type": "keyword" + }, + { + "description": "Session ID\n", + "name": "session_id", + "type": "keyword" + }, + { + "description": "WAD Session ID\n", + "name": "sessionid", + "type": "integer" + }, + { + "description": "Session Setup Rate\n", + "name": "setuprate", + "type": "long" + }, + { + "description": "Severity\n", + "name": "severity", + "type": "keyword" + }, + { + "description": "Received bytes dropped by shaper\n", + "name": "shaperdroprcvdbyte", + "type": "integer" + }, + { + "description": "Sent bytes dropped by shaper\n", + "name": "shaperdropsentbyte", + "type": "integer" + }, + { + "description": "Dropped bytes per IP by shaper\n", + "name": "shaperperipdropbyte", + "type": "integer" + }, + { + "description": "Traffic shaper name (per IP)\n", + "name": "shaperperipname", + "type": "keyword" + }, + { + "description": "Traffic shaper name for received traffic\n", + "name": "shaperrcvdname", + "type": "keyword" + }, + { + "description": "Traffic shaper name for sent traffic\n", + "name": "shapersentname", + "type": "keyword" + }, + { + "description": "Traffic shaper policy ID\n", + "name": "shapingpolicyid", + "type": "integer" + }, + { + "description": "Wireless rogue API signal\n", + "name": "signal", + "type": "integer" + }, + { + "description": "Email size in bytes\n", + "name": "size", + "type": "long" + }, + { + "description": "Slot number\n", + "name": "slot", + "type": "integer" + }, + { + "description": "Security fabric serial number\n", + "name": "sn", + "type": "keyword" + }, + { + "description": "SN of the AP closest to the rogue AP\n", + "name": "snclosest", + "type": "keyword" + }, + { + "description": "SN of the AP which detected the rogue AP\n", + "name": "sndetected", + "type": "keyword" + }, + { + "description": "SN of the mesh parent\n", + "name": "snmeshparent", + "type": "keyword" + }, + { + "description": "IPSEC SPI\n", + "name": "spi", + "type": "keyword" + }, + { + "description": "Source interface\n", + "name": "src_int", + "type": "keyword" + }, + { + "description": "Source interface role\n", + "name": "srcintfrole", + "type": "keyword" + }, + { + "description": "Source country\n", + "name": "srccountry", + "type": "keyword" + }, + { + "description": "Source family\n", + "name": "srcfamily", + "type": "keyword" + }, + { + "description": "Source hardware vendor\n", + "name": "srchwvendor", + "type": "keyword" + }, + { + "description": "Source hardware version\n", + "name": "srchwversion", + "type": "keyword" + }, + { + "description": "Source interface service\n", + "name": "srcinetsvc", + "type": "keyword" + }, + { + "description": "Source name\n", + "name": "srcname", + "type": "keyword" + }, + { + "description": "Source server\n", + "name": "srcserver", + "type": "integer" + }, + { + "description": "Source SSID\n", + "name": "srcssid", + "type": "keyword" + }, + { + "description": "Source software version\n", + "name": "srcswversion", + "type": "keyword" + }, + { + "description": "Source UUID\n", + "name": "srcuuid", + "type": "keyword" + }, + { + "description": "SSC name\n", + "name": "sscname", + "type": "keyword" + }, + { + "description": "Base Service Set ID\n", + "name": "ssid", + "type": "keyword" + }, + { + "description": "SSL Action\n", + "name": "sslaction", + "type": "keyword" + }, + { + "description": "WAD SSL local\n", + "name": "ssllocal", + "type": "keyword" + }, + { + "description": "WAD SSL remote\n", + "name": "sslremote", + "type": "keyword" + }, + { + "description": "Number of stations/clients\n", + "name": "stacount", + "type": "integer" + }, + { + "description": "IPSEC stage\n", + "name": "stage", + "type": "keyword" + }, + { + "description": "802.1x station mac\n", + "name": "stamac", + "type": "keyword" + }, + { + "description": "Admin login state\n", + "name": "state", + "type": "keyword" + }, + { + "description": "Status\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Automation stitch triggered\n", + "name": "stitch", + "type": "keyword" + }, + { + "description": "Email subject\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "Configuration Sub-Module Name\n", + "name": "submodule", + "type": "keyword" + }, + { + "description": "AV subservice\n", + "name": "subservice", + "type": "keyword" + }, + { + "description": "Log subtype\n", + "name": "subtype", + "type": "keyword" + }, + { + "description": "Number of Suspicious MMSs\n", + "name": "suspicious", + "type": "integer" + }, + { + "description": "Protocol change information\n", + "name": "switchproto", + "type": "keyword" + }, + { + "description": "The sync status with the master\n", + "name": "sync_status", + "type": "keyword" + }, + { + "description": "The sync type with the master\n", + "name": "sync_type", + "type": "keyword" + }, + { + "description": "System uptime\n", + "name": "sysuptime", + "type": "keyword" + }, + { + "description": "the MAC address of Transmitter, if none, then Receiver\n", + "name": "tamac", + "type": "keyword" + }, + { + "description": "WIDS threat type\n", + "name": "threattype", + "type": "keyword" + }, + { + "description": "Time of the event\n", + "name": "time", + "type": "keyword" + }, + { + "description": "Email to field\n", + "name": "to", + "type": "keyword" + }, + { + "description": "destination virtual cluster number\n", + "name": "to_vcluster", + "type": "integer" + }, + { + "description": "Total memory\n", + "name": "total", + "type": "integer" + }, + { + "description": "Total Number of Sessions\n", + "name": "totalsession", + "type": "integer" + }, + { + "description": "Session clash trace ID\n", + "name": "trace_id", + "type": "keyword" + }, + { + "description": "NAT translation type\n", + "name": "trandisp", + "type": "keyword" + }, + { + "description": "HTTP transaction ID\n", + "name": "transid", + "type": "integer" + }, + { + "description": "DNS filter transaltion ID\n", + "name": "translationid", + "type": "keyword" + }, + { + "description": "Automation stitch trigger\n", + "name": "trigger", + "type": "keyword" + }, + { + "description": "File filter true client IP\n", + "name": "trueclntip", + "type": "ip" + }, + { + "description": "IPSEC tunnel ID\n", + "name": "tunnelid", + "type": "integer" + }, + { + "description": "IPSEC tunnel IP\n", + "name": "tunnelip", + "type": "ip" + }, + { + "description": "IPSEC tunnel type\n", + "name": "tunneltype", + "type": "keyword" + }, + { + "description": "Module type\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Admin authentication UI type\n", + "name": "ui", + "type": "keyword" + }, + { + "description": "Unauthenticated user source\n", + "name": "unauthusersource", + "type": "keyword" + }, + { + "description": "Power supply unit\n", + "name": "unit", + "type": "integer" + }, + { + "description": "URL filter ID\n", + "name": "urlfilteridx", + "type": "integer" + }, + { + "description": "URL filter list\n", + "name": "urlfilterlist", + "type": "keyword" + }, + { + "description": "URL filter source\n", + "name": "urlsource", + "type": "keyword" + }, + { + "description": "URL filter type\n", + "name": "urltype", + "type": "keyword" + }, + { + "description": "Number of Used IPs\n", + "name": "used", + "type": "integer" + }, + { + "description": "Connection for the type\n", + "name": "used_for_type", + "type": "integer" + }, + { + "description": "Security action performed by UTM\n", + "name": "utmaction", + "type": "keyword" + }, + { + "description": "Virtual AP\n", + "name": "vap", + "type": "keyword" + }, + { + "description": "Virtual AP mode\n", + "name": "vapmode", + "type": "keyword" + }, + { + "description": "virtual cluster id\n", + "name": "vcluster", + "type": "integer" + }, + { + "description": "Virtual cluster member\n", + "name": "vcluster_member", + "type": "integer" + }, + { + "description": "Virtual cluster state\n", + "name": "vcluster_state", + "type": "keyword" + }, + { + "description": "Virtual Domain Name\n", + "name": "vd", + "type": "keyword" + }, + { + "description": "Virtual Domain Name\n", + "name": "vdname", + "type": "keyword" + }, + { + "description": "Vulnerability scan vendor name\n", + "name": "vendorurl", + "type": "keyword" + }, + { + "description": "Version\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Virtual IP\n", + "name": "vip", + "type": "keyword" + }, + { + "description": "Virus name\n", + "name": "virus", + "type": "keyword" + }, + { + "description": "Virus ID (unique virus identifier)\n", + "name": "virusid", + "type": "integer" + }, + { + "description": "VOIP protocol\n", + "name": "voip_proto", + "type": "keyword" + }, + { + "description": "VPN description\n", + "name": "vpn", + "type": "keyword" + }, + { + "description": "IPsec Vpn Tunnel Name\n", + "name": "vpntunnel", + "type": "keyword" + }, + { + "description": "The type of the VPN tunnel\n", + "name": "vpntype", + "type": "keyword" + }, + { + "description": "VRF number\n", + "name": "vrf", + "type": "integer" + }, + { + "description": "Vulnerability Category\n", + "name": "vulncat", + "type": "keyword" + }, + { + "description": "Vulnerability ID\n", + "name": "vulnid", + "type": "integer" + }, + { + "description": "Vulnerability name\n", + "name": "vulnname", + "type": "keyword" + }, + { + "description": "VWL ID\n", + "name": "vwlid", + "type": "integer" + }, + { + "description": "VWL quality\n", + "name": "vwlquality", + "type": "keyword" + }, + { + "description": "VWL service\n", + "name": "vwlservice", + "type": "keyword" + }, + { + "description": "VWP VLAN ID\n", + "name": "vwpvlanid", + "type": "integer" + }, + { + "description": "WAN incoming traffic in bytes\n", + "name": "wanin", + "type": "long" + }, + { + "description": "WAN Optimization Application type\n", + "name": "wanoptapptype", + "type": "keyword" + }, + { + "description": "WAN outgoing traffic in bytes\n", + "name": "wanout", + "type": "long" + }, + { + "description": "Weak Wep Initiation Vector\n", + "name": "weakwepiv", + "type": "keyword" + }, + { + "description": "XAuth Group Name\n", + "name": "xauthgroup", + "type": "keyword" + }, + { + "description": "XAuth User Name\n", + "name": "xauthuser", + "type": "keyword" + }, + { + "description": "Wireless X ID\n", + "name": "xid", + "type": "integer" + } + ], + "name": "firewall", + "release": "beta", + "type": "group" + } + ], + "name": "fortinet", + "type": "group" + } + ] + } + } + } + } + } + }, + "googlecloud": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "audit": { + "enabled": true, + "var.credentials_file": "${path.config}/gcp-service-account-xyz.json", + "var.project_id": "my-gcp-project-id", + "var.subscription_name": "filebeat-googlecloud-audit", + "var.topic": "googlecloud-vpc-audit" + }, + "firewall": { + "enabled": true, + "var.credentials_file": "${path.config}/gcp-service-account-xyz.json", + "var.project_id": "my-gcp-project-id", + "var.subscription_name": "filebeat-googlecloud-firewall-sub", + "var.topic": "googlecloud-vpc-firewall" + }, + "module": "googlecloud", + "vpcflow": { + "enabled": true, + "var.credentials_file": "${path.config}/gcp-service-account-xyz.json", + "var.project_id": "my-gcp-project-id", + "var.subscription_name": "filebeat-googlecloud-vpc-flowlogs-sub", + "var.topic": "googlecloud-vpc-flowlogs" + } + } + ], + "fields.yml": [ + { + "description": "Module for handling logs from Google Cloud.\n", + "fields": [ + { + "description": "Fields from Google Cloud logs.\n", + "fields": [ + { + "description": "If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.\n", + "fields": [ + { + "description": "ID of the project containing the VM.\n", + "name": "project_id", + "type": "keyword" + }, + { + "description": "Region of the VM.\n", + "name": "region", + "type": "keyword" + }, + { + "description": "Zone of the VM.\n", + "name": "zone", + "type": "keyword" + } + ], + "name": "destination.instance", + "type": "group" + }, + { + "description": "If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.\n", + "fields": [ + { + "description": "ID of the project containing the VM.\n", + "name": "project_id", + "type": "keyword" + }, + { + "description": "VPC on which the VM is operating.\n", + "name": "vpc_name", + "type": "keyword" + }, + { + "description": "Subnetwork on which the VM is operating.\n", + "name": "subnetwork_name", + "type": "keyword" + } + ], + "name": "destination.vpc", + "type": "group" + }, + { + "description": "If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.\n", + "fields": [ + { + "description": "ID of the project containing the VM.\n", + "name": "project_id", + "type": "keyword" + }, + { + "description": "Region of the VM.\n", + "name": "region", + "type": "keyword" + }, + { + "description": "Zone of the VM.\n", + "name": "zone", + "type": "keyword" + } + ], + "name": "source.instance", + "type": "group" + }, + { + "description": "If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.\n", + "fields": [ + { + "description": "ID of the project containing the VM.\n", + "name": "project_id", + "type": "keyword" + }, + { + "description": "VPC on which the VM is operating.\n", + "name": "vpc_name", + "type": "keyword" + }, + { + "description": "Subnetwork on which the VM is operating.\n", + "name": "subnetwork_name", + "type": "keyword" + } + ], + "name": "source.vpc", + "type": "group" + } + ], + "name": "googlecloud", + "type": "group" + } + ], + "key": "googlecloud", + "title": "Google Cloud" + } + ] + } + }, + "audit": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Google Cloud audit logs.\n", + "fields": [ + { + "description": "Type property.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Authentication information. \n", + "fields": [ + { + "description": "The email address of the authenticated user making the request. \n", + "name": "principal_email", + "type": "keyword" + }, + { + "description": "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. \n", + "name": "authority_selector", + "type": "keyword" + } + ], + "name": "authentication_info", + "type": "group" + }, + { + "description": "Authorization information for the operation.\n", + "fields": [ + { + "description": "The required IAM permission. \n", + "name": "permission", + "type": "keyword" + }, + { + "description": "Whether or not authorization for resource and permission was granted. \n", + "name": "granted", + "type": "boolean" + }, + { + "description": "The attributes of the resource.\n", + "fields": [ + { + "description": "The name of the service.\n", + "name": "service", + "type": "keyword" + }, + { + "description": "The name of the resource.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The type of the resource.\n", + "name": "type", + "type": "keyword" + } + ], + "name": "resource_attributes", + "type": "group" + } + ], + "name": "authorization_info", + "type": "array" + }, + { + "description": "The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'.\n", + "name": "method_name", + "type": "keyword" + }, + { + "description": "The number of items returned from a List or Query API method, if applicable.\n", + "name": "num_response_items", + "type": "long" + }, + { + "description": "The operation request.\n", + "fields": [ + { + "description": "Type property of the request.\n", + "name": "proto_name", + "type": "keyword" + }, + { + "description": "Filter of the request.\n", + "name": "filter", + "type": "keyword" + }, + { + "description": "Name of the request. \n", + "name": "name", + "type": "keyword" + }, + { + "description": "Name of the request resource. \n", + "name": "resource_name", + "type": "keyword" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "Metadata about the request.\n", + "fields": [ + { + "description": "The IP address of the caller. \n", + "name": "caller_ip", + "type": "ip" + }, + { + "description": "The user agent of the caller. This information is not authenticated and should be treated accordingly.\n", + "name": "caller_supplied_user_agent", + "type": "keyword" + } + ], + "name": "request_metadata", + "type": "group" + }, + { + "description": "The operation response.\n", + "fields": [ + { + "description": "Type property of the response.\n", + "name": "proto_name", + "type": "keyword" + }, + { + "description": "The details of the response.\n", + "fields": [ + { + "description": "The name of the group.\n", + "name": "group", + "type": "keyword" + }, + { + "description": "The kind of the response details.\n", + "name": "kind", + "type": "keyword" + }, + { + "description": "The name of the response details.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The uid of the response details.\n", + "name": "uid", + "type": "keyword" + } + ], + "name": "details", + "type": "group" + }, + { + "description": "Status of the response. \n", + "name": "status", + "type": "keyword" + } + ], + "name": "response", + "type": "group" + }, + { + "description": "The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'.\n", + "name": "resource_name", + "type": "keyword" + }, + { + "description": "The location of the resource.\n", + "fields": [ + { + "description": "Current locations of the resource.\n", + "name": "current_locations", + "type": "keyword" + } + ], + "name": "resource_location", + "type": "group" + }, + { + "description": "The name of the API service performing the operation. For example, datastore.googleapis.com.\n", + "name": "service_name", + "type": "keyword" + }, + { + "description": "The status of the overall operation. \n", + "fields": [ + { + "description": "The status code, which should be an enum value of google.rpc.Code. \n", + "name": "code", + "type": "integer" + }, + { + "description": "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. \n", + "name": "message", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "audit", + "type": "group" + } + ] + } + } + } + }, + "firewall": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Google Cloud Firewall logs.\n", + "fields": [ + { + "description": "Description of the firewall rule that matched this connection.\n", + "fields": [ + { + "description": "The priority for the firewall rule.", + "name": "priority", + "type": "long" + }, + { + "description": "Action that the rule performs on match.", + "name": "action", + "type": "keyword" + }, + { + "description": "Direction of traffic that matches this rule.", + "name": "direction", + "type": "keyword" + }, + { + "description": "Reference to the firewall rule.", + "name": "reference", + "type": "keyword" + }, + { + "description": "List of source ranges that the firewall rule applies to.", + "name": "source_range", + "type": "keyword" + }, + { + "description": "List of destination ranges that the firewall applies to.", + "name": "destination_range", + "type": "keyword" + }, + { + "description": "List of all the source tags that the firewall rule applies to.\n", + "name": "source_tag", + "type": "keyword" + }, + { + "description": "List of all the target tags that the firewall rule applies to.\n", + "name": "target_tag", + "type": "keyword" + }, + { + "description": "List of ip protocols and applicable port ranges for rules.\n", + "name": "ip_port_info", + "type": "array" + }, + { + "description": "List of all the source service accounts that the firewall rule applies to.\n", + "name": "source_service_account", + "type": "keyword" + }, + { + "description": "List of all the target service accounts that the firewall rule applies to.\n", + "name": "target_service_account", + "type": "keyword" + } + ], + "name": "rule_details", + "type": "group" + } + ], + "name": "firewall", + "type": "group" + } + ] + } + } + } + }, + "vpcflow": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for Google Cloud VPC flow logs.\n", + "fields": [ + { + "description": "The side which reported the flow. Can be either 'SRC' or 'DEST'.\n", + "name": "reporter", + "type": "keyword" + }, + { + "description": "Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.\n", + "name": "rtt.ms", + "type": "long" + } + ], + "name": "vpcflow", + "type": "group" + } + ] + } + } + } + } + } + }, + "gsuite": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "admin": { + "enabled": true + }, + "drive": { + "enabled": true + }, + "groups": { + "enabled": true + }, + "login": { + "enabled": true + }, + "module": "gsuite", + "saml": { + "enabled": true + }, + "user_accounts": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "gsuite Module\n", + "fields": [ + { + "default_field": false, + "description": "Gsuite specific fields.\nMore information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list\n", + "fields": [ + { + "description": "The type of actor.\nValues can be:\n *USER*: Another user in the same domain.\n *EXTERNAL_USER*: A user outside the domain.\n *KEY*: A non-human actor.\n", + "name": "actor.type", + "type": "keyword" + }, + { + "description": "Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts.\n", + "name": "actor.key", + "type": "keyword" + }, + { + "description": "The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list\n", + "example": "audit#activity", + "name": "event.type", + "type": "keyword" + }, + { + "description": "The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list\n", + "example": "audit#activity", + "name": "kind", + "type": "keyword" + }, + { + "description": "The domain that is affected by the report's event.\n", + "name": "organization.domain", + "type": "keyword" + } + ], + "name": "gsuite", + "type": "group" + } + ], + "key": "gsuite", + "title": "gsuite" + } + ] + } + }, + "admin": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "description": "The GSuite edition.", + "name": "application.edition", + "type": "keyword" + }, + { + "description": "The application's name.", + "name": "application.name", + "type": "keyword" + }, + { + "description": "The enabled application.", + "name": "application.enabled", + "type": "keyword" + }, + { + "description": "Order number used to redeem licenses.", + "name": "application.licences_order_number", + "type": "keyword" + }, + { + "description": "Number of licences purchased.", + "name": "application.licences_purchased", + "type": "keyword" + }, + { + "description": "The application ID.", + "name": "application.id", + "type": "keyword" + }, + { + "description": "The application specific password ID.", + "name": "application.asp_id", + "type": "keyword" + }, + { + "description": "The mobile application package ID.", + "name": "application.package_id", + "type": "keyword" + }, + { + "description": "The group's primary email address.", + "name": "group.email", + "type": "keyword" + }, + { + "description": "The new value for the setting.", + "name": "new_value", + "type": "keyword" + }, + { + "description": "The old value for the setting.", + "name": "old_value", + "type": "keyword" + }, + { + "description": "The organizational unit name.", + "name": "org_unit.name", + "type": "keyword" + }, + { + "description": "The org unit full path including the root org unit name.", + "name": "org_unit.full", + "type": "keyword" + }, + { + "description": "The setting name.", + "name": "setting.name", + "type": "keyword" + }, + { + "description": "The name of the user-defined setting.", + "name": "user_defined_setting.name", + "type": "keyword" + }, + { + "description": "The setting name.", + "name": "setting.description", + "type": "keyword" + }, + { + "description": "Group priorities.", + "name": "group.priorities", + "type": "keyword" + }, + { + "description": "The domain alias.", + "name": "domain.alias", + "type": "keyword" + }, + { + "description": "The primary domain name.", + "name": "domain.name", + "type": "keyword" + }, + { + "description": "The secondary domain name.", + "name": "domain.secondary_name", + "type": "keyword" + }, + { + "description": "The name of the managed configuration.", + "name": "managed_configuration", + "type": "keyword" + }, + { + "description": "Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\n", + "name": "non_featured_services_selection", + "type": "keyword" + }, + { + "description": "The name of the field.", + "name": "field", + "type": "keyword" + }, + { + "description": "The name of the resource identifier.", + "name": "resource.id", + "type": "keyword" + }, + { + "description": "The user's primary email address.", + "name": "user.email", + "type": "keyword" + }, + { + "description": "The user's nickname.", + "name": "user.nickname", + "type": "keyword" + }, + { + "description": "The user's birth date.", + "name": "user.birthdate", + "type": "date" + }, + { + "description": "Gateway name. Present on some chat settings.", + "name": "gateway.name", + "type": "keyword" + }, + { + "description": "Chrome OS session type.", + "name": "chrome_os.session_type", + "type": "keyword" + }, + { + "description": "Device serial number.", + "name": "device.serial_number", + "type": "keyword" + }, + { + "name": "device.id", + "type": "keyword" + }, + { + "description": "Device type.", + "name": "device.type", + "type": "keyword" + }, + { + "description": "The name of the print server.", + "name": "print_server.name", + "type": "keyword" + }, + { + "description": "The name of the printer.", + "name": "printer.name", + "type": "keyword" + }, + { + "description": "Command details.", + "name": "device.command_details", + "type": "keyword" + }, + { + "description": "Unique identifier for this role privilege.", + "name": "role.id", + "type": "keyword" + }, + { + "description": "The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings\n", + "name": "role.name", + "type": "keyword" + }, + { + "description": "Privilege name.", + "name": "privilege.name", + "type": "keyword" + }, + { + "description": "The service name.", + "name": "service.name", + "type": "keyword" + }, + { + "description": "The website name.", + "name": "url.name", + "type": "keyword" + }, + { + "description": "The product name.", + "name": "product.name", + "type": "keyword" + }, + { + "description": "The product SKU.", + "name": "product.sku", + "type": "keyword" + }, + { + "description": "Number of failed records in bulk upload operation.", + "name": "bulk_upload.failed", + "type": "long" + }, + { + "description": "Number of total records in bulk upload operation.", + "name": "bulk_upload.total", + "type": "long" + }, + { + "description": "Names of allow-listed groups.", + "name": "group.allowed_list", + "type": "keyword" + }, + { + "description": "The name of the quarantine.", + "name": "email.quarantine_name", + "type": "keyword" + }, + { + "description": "The log search filter's email message ID.", + "name": "email.log_search_filter.message_id", + "type": "keyword" + }, + { + "description": "The log search filter's start date.", + "name": "email.log_search_filter.start_date", + "type": "date" + }, + { + "description": "The log search filter's ending date.", + "name": "email.log_search_filter.end_date", + "type": "date" + }, + { + "description": "The log search filter's email recipient.", + "name": "email.log_search_filter.recipient.value", + "type": "keyword" + }, + { + "description": "The log search filter's email sender.", + "name": "email.log_search_filter.sender.value", + "type": "keyword" + }, + { + "description": "The log search filter's email recipient's IP address.", + "name": "email.log_search_filter.recipient.ip", + "type": "ip" + }, + { + "description": "The log search filter's email sender's IP address.", + "name": "email.log_search_filter.sender.ip", + "type": "ip" + }, + { + "description": "Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings\n", + "name": "chrome_licenses.enabled", + "type": "keyword" + }, + { + "description": "Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings\n", + "name": "chrome_licenses.allowed", + "type": "keyword" + }, + { + "description": "OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings\n", + "name": "oauth2.service.name", + "type": "keyword" + }, + { + "description": "OAuth2 application ID.", + "name": "oauth2.application.id", + "type": "keyword" + }, + { + "description": "OAuth2 application name.", + "name": "oauth2.application.name", + "type": "keyword" + }, + { + "description": "OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings\n", + "name": "oauth2.application.type", + "type": "keyword" + }, + { + "description": "Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings\n", + "name": "verification_method", + "type": "keyword" + }, + { + "description": "The alert name.", + "name": "alert.name", + "type": "keyword" + }, + { + "description": "The rule name.", + "name": "rule.name", + "type": "keyword" + }, + { + "description": "The API client name.", + "name": "api.client.name", + "type": "keyword" + }, + { + "description": "The API scopes.", + "name": "api.scopes", + "type": "keyword" + }, + { + "description": "The MDM vendor enrollment token.", + "name": "mdm.token", + "type": "keyword" + }, + { + "description": "The MDM vendor's name.", + "name": "mdm.vendor", + "type": "keyword" + }, + { + "description": "This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings\n", + "name": "info_type", + "type": "keyword" + }, + { + "description": "The destination address of the email monitor.", + "name": "email_monitor.dest_email", + "type": "keyword" + }, + { + "description": "The chat email monitor level.", + "name": "email_monitor.level.chat", + "type": "keyword" + }, + { + "description": "The draft email monitor level.", + "name": "email_monitor.level.draft", + "type": "keyword" + }, + { + "description": "The incoming email monitor level.", + "name": "email_monitor.level.incoming", + "type": "keyword" + }, + { + "description": "The outgoing email monitor level.", + "name": "email_monitor.level.outgoing", + "type": "keyword" + }, + { + "description": "Indicates if deleted emails are included in the export.", + "name": "email_dump.include_deleted", + "type": "boolean" + }, + { + "description": "The contents of the mailbox package.", + "name": "email_dump.package_content", + "type": "keyword" + }, + { + "description": "The search query used for the dump.", + "name": "email_dump.query", + "type": "keyword" + }, + { + "description": "The request ID.", + "name": "request.id", + "type": "keyword" + }, + { + "description": "The mobile device action's ID.", + "name": "mobile.action.id", + "type": "keyword" + }, + { + "description": "The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "mobile.action.type", + "type": "keyword" + }, + { + "description": "The mobile certificate common name.", + "name": "mobile.certificate.name", + "type": "keyword" + }, + { + "description": "The number of devices a company owns.", + "name": "mobile.company_owned_devices", + "type": "long" + }, + { + "description": "The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "distribution.entity.name", + "type": "keyword" + }, + { + "description": "The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "distribution.entity.type", + "type": "keyword" + } + ], + "name": "admin", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "description": "The GSuite edition.", + "name": "application.edition", + "type": "keyword" + }, + { + "description": "The application's name.", + "name": "application.name", + "type": "keyword" + }, + { + "description": "The enabled application.", + "name": "application.enabled", + "type": "keyword" + }, + { + "description": "Order number used to redeem licenses.", + "name": "application.licences_order_number", + "type": "keyword" + }, + { + "description": "Number of licences purchased.", + "name": "application.licences_purchased", + "type": "keyword" + }, + { + "description": "The application ID.", + "name": "application.id", + "type": "keyword" + }, + { + "description": "The application specific password ID.", + "name": "application.asp_id", + "type": "keyword" + }, + { + "description": "The mobile application package ID.", + "name": "application.package_id", + "type": "keyword" + }, + { + "description": "The group's primary email address.", + "name": "group.email", + "type": "keyword" + }, + { + "description": "The new value for the setting.", + "name": "new_value", + "type": "keyword" + }, + { + "description": "The old value for the setting.", + "name": "old_value", + "type": "keyword" + }, + { + "description": "The organizational unit name.", + "name": "org_unit.name", + "type": "keyword" + }, + { + "description": "The org unit full path including the root org unit name.", + "name": "org_unit.full", + "type": "keyword" + }, + { + "description": "The setting name.", + "name": "setting.name", + "type": "keyword" + }, + { + "description": "The name of the user-defined setting.", + "name": "user_defined_setting.name", + "type": "keyword" + }, + { + "description": "The setting name.", + "name": "setting.description", + "type": "keyword" + }, + { + "description": "Group priorities.", + "name": "group.priorities", + "type": "keyword" + }, + { + "description": "The domain alias.", + "name": "domain.alias", + "type": "keyword" + }, + { + "description": "The primary domain name.", + "name": "domain.name", + "type": "keyword" + }, + { + "description": "The secondary domain name.", + "name": "domain.secondary_name", + "type": "keyword" + }, + { + "description": "The name of the managed configuration.", + "name": "managed_configuration", + "type": "keyword" + }, + { + "description": "Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\n", + "name": "non_featured_services_selection", + "type": "keyword" + }, + { + "description": "The name of the field.", + "name": "field", + "type": "keyword" + }, + { + "description": "The name of the resource identifier.", + "name": "resource.id", + "type": "keyword" + }, + { + "description": "The user's primary email address.", + "name": "user.email", + "type": "keyword" + }, + { + "description": "The user's nickname.", + "name": "user.nickname", + "type": "keyword" + }, + { + "description": "The user's birth date.", + "name": "user.birthdate", + "type": "date" + }, + { + "description": "Gateway name. Present on some chat settings.", + "name": "gateway.name", + "type": "keyword" + }, + { + "description": "Chrome OS session type.", + "name": "chrome_os.session_type", + "type": "keyword" + }, + { + "description": "Device serial number.", + "name": "device.serial_number", + "type": "keyword" + }, + { + "name": "device.id", + "type": "keyword" + }, + { + "description": "Device type.", + "name": "device.type", + "type": "keyword" + }, + { + "description": "The name of the print server.", + "name": "print_server.name", + "type": "keyword" + }, + { + "description": "The name of the printer.", + "name": "printer.name", + "type": "keyword" + }, + { + "description": "Command details.", + "name": "device.command_details", + "type": "keyword" + }, + { + "description": "Unique identifier for this role privilege.", + "name": "role.id", + "type": "keyword" + }, + { + "description": "The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings\n", + "name": "role.name", + "type": "keyword" + }, + { + "description": "Privilege name.", + "name": "privilege.name", + "type": "keyword" + }, + { + "description": "The service name.", + "name": "service.name", + "type": "keyword" + }, + { + "description": "The website name.", + "name": "url.name", + "type": "keyword" + }, + { + "description": "The product name.", + "name": "product.name", + "type": "keyword" + }, + { + "description": "The product SKU.", + "name": "product.sku", + "type": "keyword" + }, + { + "description": "Number of failed records in bulk upload operation.", + "name": "bulk_upload.failed", + "type": "long" + }, + { + "description": "Number of total records in bulk upload operation.", + "name": "bulk_upload.total", + "type": "long" + }, + { + "description": "Names of allow-listed groups.", + "name": "group.allowed_list", + "type": "keyword" + }, + { + "description": "The name of the quarantine.", + "name": "email.quarantine_name", + "type": "keyword" + }, + { + "description": "The log search filter's email message ID.", + "name": "email.log_search_filter.message_id", + "type": "keyword" + }, + { + "description": "The log search filter's start date.", + "name": "email.log_search_filter.start_date", + "type": "date" + }, + { + "description": "The log search filter's ending date.", + "name": "email.log_search_filter.end_date", + "type": "date" + }, + { + "description": "The log search filter's email recipient.", + "name": "email.log_search_filter.recipient.value", + "type": "keyword" + }, + { + "description": "The log search filter's email sender.", + "name": "email.log_search_filter.sender.value", + "type": "keyword" + }, + { + "description": "The log search filter's email recipient's IP address.", + "name": "email.log_search_filter.recipient.ip", + "type": "ip" + }, + { + "description": "The log search filter's email sender's IP address.", + "name": "email.log_search_filter.sender.ip", + "type": "ip" + }, + { + "description": "Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings\n", + "name": "chrome_licenses.enabled", + "type": "keyword" + }, + { + "description": "Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings\n", + "name": "chrome_licenses.allowed", + "type": "keyword" + }, + { + "description": "OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings\n", + "name": "oauth2.service.name", + "type": "keyword" + }, + { + "description": "OAuth2 application ID.", + "name": "oauth2.application.id", + "type": "keyword" + }, + { + "description": "OAuth2 application name.", + "name": "oauth2.application.name", + "type": "keyword" + }, + { + "description": "OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings\n", + "name": "oauth2.application.type", + "type": "keyword" + }, + { + "description": "Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings\n", + "name": "verification_method", + "type": "keyword" + }, + { + "description": "The alert name.", + "name": "alert.name", + "type": "keyword" + }, + { + "description": "The rule name.", + "name": "rule.name", + "type": "keyword" + }, + { + "description": "The API client name.", + "name": "api.client.name", + "type": "keyword" + }, + { + "description": "The API scopes.", + "name": "api.scopes", + "type": "keyword" + }, + { + "description": "The MDM vendor enrollment token.", + "name": "mdm.token", + "type": "keyword" + }, + { + "description": "The MDM vendor's name.", + "name": "mdm.vendor", + "type": "keyword" + }, + { + "description": "This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings\n", + "name": "info_type", + "type": "keyword" + }, + { + "description": "The destination address of the email monitor.", + "name": "email_monitor.dest_email", + "type": "keyword" + }, + { + "description": "The chat email monitor level.", + "name": "email_monitor.level.chat", + "type": "keyword" + }, + { + "description": "The draft email monitor level.", + "name": "email_monitor.level.draft", + "type": "keyword" + }, + { + "description": "The incoming email monitor level.", + "name": "email_monitor.level.incoming", + "type": "keyword" + }, + { + "description": "The outgoing email monitor level.", + "name": "email_monitor.level.outgoing", + "type": "keyword" + }, + { + "description": "Indicates if deleted emails are included in the export.", + "name": "email_dump.include_deleted", + "type": "boolean" + }, + { + "description": "The contents of the mailbox package.", + "name": "email_dump.package_content", + "type": "keyword" + }, + { + "description": "The search query used for the dump.", + "name": "email_dump.query", + "type": "keyword" + }, + { + "description": "The request ID.", + "name": "request.id", + "type": "keyword" + }, + { + "description": "The mobile device action's ID.", + "name": "mobile.action.id", + "type": "keyword" + }, + { + "description": "The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "mobile.action.type", + "type": "keyword" + }, + { + "description": "The mobile certificate common name.", + "name": "mobile.certificate.name", + "type": "keyword" + }, + { + "description": "The number of devices a company owns.", + "name": "mobile.company_owned_devices", + "type": "long" + }, + { + "description": "The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "distribution.entity.name", + "type": "keyword" + }, + { + "description": "The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings\n", + "name": "distribution.entity.type", + "type": "keyword" + } + ], + "name": "admin", + "type": "group" + } + ] + } + } + } + }, + "drive": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "description": "Whether this activity is billable.", + "name": "billable", + "type": "boolean" + }, + { + "name": "source_folder_id", + "type": "keyword" + }, + { + "name": "source_folder_title", + "type": "keyword" + }, + { + "name": "destination_folder_id", + "type": "keyword" + }, + { + "name": "destination_folder_title", + "type": "keyword" + }, + { + "name": "file.id", + "type": "keyword" + }, + { + "description": "Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "file.type", + "type": "keyword" + }, + { + "description": "The Google Cloud Project ID of the application that performed the action.\n", + "name": "originating_app_id", + "type": "keyword" + }, + { + "name": "file.owner.email", + "type": "keyword" + }, + { + "description": "Boolean flag denoting whether owner is a shared drive.\n", + "name": "file.owner.is_shared_drive", + "type": "boolean" + }, + { + "description": "Whether this is a primary event. A single user action in Drive may generate several events.\n", + "name": "primary_event", + "type": "boolean" + }, + { + "description": "The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.\n", + "name": "shared_drive_id", + "type": "keyword" + }, + { + "description": "Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "visibility", + "type": "keyword" + }, + { + "description": "When a setting or property of the file changes, the new value for it will appear here.\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "When a setting or property of the file changes, the old value for it will appear here.\n", + "name": "old_value", + "type": "keyword" + }, + { + "description": "Doc ID of the recipient of a sheets import range.", + "name": "sheets_import_range_recipient_doc", + "type": "keyword" + }, + { + "description": "When visibility changes, this holds the old value.\n", + "name": "old_visibility", + "type": "keyword" + }, + { + "description": "When visibility changes, this holds the new overall visibility of the file.\n", + "name": "visibility_change", + "type": "keyword" + }, + { + "description": "The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.\n", + "name": "target_domain", + "type": "keyword" + }, + { + "description": "Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "added_role", + "type": "keyword" + }, + { + "description": "Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "membership_change_type", + "type": "keyword" + }, + { + "description": "Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "shared_drive_settings_change_type", + "type": "keyword" + }, + { + "description": "Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "removed_role", + "type": "keyword" + }, + { + "description": "Target user or group.", + "name": "target", + "type": "keyword" + } + ], + "name": "drive", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "description": "Whether this activity is billable.", + "name": "billable", + "type": "boolean" + }, + { + "name": "source_folder_id", + "type": "keyword" + }, + { + "name": "source_folder_title", + "type": "keyword" + }, + { + "name": "destination_folder_id", + "type": "keyword" + }, + { + "name": "destination_folder_title", + "type": "keyword" + }, + { + "name": "file.id", + "type": "keyword" + }, + { + "description": "Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "file.type", + "type": "keyword" + }, + { + "description": "The Google Cloud Project ID of the application that performed the action.\n", + "name": "originating_app_id", + "type": "keyword" + }, + { + "name": "file.owner.email", + "type": "keyword" + }, + { + "description": "Boolean flag denoting whether owner is a shared drive.\n", + "name": "file.owner.is_shared_drive", + "type": "boolean" + }, + { + "description": "Whether this is a primary event. A single user action in Drive may generate several events.\n", + "name": "primary_event", + "type": "boolean" + }, + { + "description": "The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.\n", + "name": "shared_drive_id", + "type": "keyword" + }, + { + "description": "Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "visibility", + "type": "keyword" + }, + { + "description": "When a setting or property of the file changes, the new value for it will appear here.\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "When a setting or property of the file changes, the old value for it will appear here.\n", + "name": "old_value", + "type": "keyword" + }, + { + "description": "Doc ID of the recipient of a sheets import range.", + "name": "sheets_import_range_recipient_doc", + "type": "keyword" + }, + { + "description": "When visibility changes, this holds the old value.\n", + "name": "old_visibility", + "type": "keyword" + }, + { + "description": "When visibility changes, this holds the new overall visibility of the file.\n", + "name": "visibility_change", + "type": "keyword" + }, + { + "description": "The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.\n", + "name": "target_domain", + "type": "keyword" + }, + { + "description": "Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "added_role", + "type": "keyword" + }, + { + "description": "Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "membership_change_type", + "type": "keyword" + }, + { + "description": "Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "shared_drive_settings_change_type", + "type": "keyword" + }, + { + "description": "Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive\n", + "name": "removed_role", + "type": "keyword" + }, + { + "description": "Target user or group.", + "name": "target", + "type": "keyword" + } + ], + "name": "drive", + "type": "group" + } + ] + } + } + } + }, + "groups": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "description": "Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "acl_permission", + "type": "keyword" + }, + { + "description": "Group email.\n", + "name": "email", + "type": "keyword" + }, + { + "description": "Member email.\n", + "name": "member.email", + "type": "keyword" + }, + { + "description": "Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "member.role", + "type": "keyword" + }, + { + "description": "Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "setting", + "type": "keyword" + }, + { + "description": "New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups", + "name": "old_value", + "type": "keyword" + }, + { + "description": "Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "value", + "type": "keyword" + }, + { + "description": "SMTP message Id of an email message. Present for moderation events.\n", + "name": "message.id", + "type": "keyword" + }, + { + "description": "Message moderation action. Possible values are `approved` and `rejected`.\n", + "name": "message.moderation_action", + "type": "keyword" + }, + { + "description": "A status describing the output of an operation. Possible values are `failed` and `succeeded`.\n", + "name": "status", + "type": "keyword" + } + ], + "name": "groups", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "description": "Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "acl_permission", + "type": "keyword" + }, + { + "description": "Group email.\n", + "name": "email", + "type": "keyword" + }, + { + "description": "Member email.\n", + "name": "member.email", + "type": "keyword" + }, + { + "description": "Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "member.role", + "type": "keyword" + }, + { + "description": "Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "setting", + "type": "keyword" + }, + { + "description": "New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "new_value", + "type": "keyword" + }, + { + "description": "Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups", + "name": "old_value", + "type": "keyword" + }, + { + "description": "Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups\n", + "name": "value", + "type": "keyword" + }, + { + "description": "SMTP message Id of an email message. Present for moderation events.\n", + "name": "message.id", + "type": "keyword" + }, + { + "description": "Message moderation action. Possible values are `approved` and `rejected`.\n", + "name": "message.moderation_action", + "type": "keyword" + }, + { + "description": "A status describing the output of an operation. Possible values are `failed` and `succeeded`.\n", + "name": "status", + "type": "keyword" + } + ], + "name": "groups", + "type": "group" + } + ] + } + } + } + }, + "login": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "name": "affected_email_address", + "type": "keyword" + }, + { + "description": "Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "challenge_method", + "type": "keyword" + }, + { + "description": "Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "failure_type", + "type": "keyword" + }, + { + "description": "Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "type", + "type": "keyword" + }, + { + "name": "is_second_factor", + "type": "boolean" + }, + { + "name": "is_suspicious", + "type": "boolean" + } + ], + "name": "login", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "name": "affected_email_address", + "type": "keyword" + }, + { + "description": "Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "challenge_method", + "type": "keyword" + }, + { + "description": "Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "failure_type", + "type": "keyword" + }, + { + "description": "Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.\n", + "name": "type", + "type": "keyword" + }, + { + "name": "is_second_factor", + "type": "boolean" + }, + { + "name": "is_suspicious", + "type": "boolean" + } + ], + "name": "login", + "type": "group" + } + ] + } + } + } + }, + "saml": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "description": "Saml SP application name.\n", + "name": "application_name", + "type": "keyword" + }, + { + "description": "Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.\n", + "name": "failure_type", + "type": "keyword" + }, + { + "description": "Requester of SAML authentication.\n", + "name": "initiated_by", + "type": "keyword" + }, + { + "description": "User orgunit.\n", + "name": "orgunit_path", + "type": "keyword" + }, + { + "description": "SAML status code.\n", + "name": "status_code", + "type": "long" + }, + { + "description": "SAML second level status code.\n", + "name": "second_level_status_code", + "type": "long" + } + ], + "name": "saml", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "description": "Saml SP application name.\n", + "name": "application_name", + "type": "keyword" + }, + { + "description": "Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.\n", + "name": "failure_type", + "type": "keyword" + }, + { + "description": "Requester of SAML authentication.\n", + "name": "initiated_by", + "type": "keyword" + }, + { + "description": "User orgunit.\n", + "name": "orgunit_path", + "type": "keyword" + }, + { + "description": "SAML status code.\n", + "name": "status_code", + "type": "long" + }, + { + "description": "SAML second level status code.\n", + "name": "second_level_status_code", + "type": "long" + } + ], + "name": "saml", + "type": "group" + } + ] + } + } + } + }, + "user_accounts": { + "folders": { + "config": { + "files": { + "config.yml": [ + { + "fields": [ + { + "description": "Saml SP application name.\n", + "name": "application_name", + "type": "keyword" + }, + { + "description": "Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.\n", + "name": "failure_type", + "type": "keyword" + }, + { + "description": "Requester of SAML authentication.\n", + "name": "initiated_by", + "type": "keyword" + }, + { + "description": "User orgunit.\n", + "name": "orgunit_path", + "type": "keyword" + }, + { + "description": "SAML status code.\n", + "name": "status_code", + "type": "long" + }, + { + "description": "SAML second level status code.\n", + "name": "second_level_status_code", + "type": "long" + } + ], + "name": "saml", + "type": "group" + } + ] + } + } + } + } + } + }, + "haproxy": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "haproxy" + } + ], + "fields.yml": [ + { + "description": "haproxy Module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Name of the frontend (or listener) which received and processed the connection.", + "name": "frontend_name" + }, + { + "description": "Name of the backend (or listener) which was selected to manage the connection to the server.", + "name": "backend_name" + }, + { + "description": "Name of the last server to which the connection was sent.", + "name": "server_name" + }, + { + "description": "Total time in milliseconds spent waiting in the various queues", + "name": "total_waiting_time_ms", + "type": "long" + }, + { + "description": "Total time in milliseconds spent waiting for the connection to establish to the final server", + "name": "connection_wait_time_ms", + "type": "long" + }, + { + "description": "Total number of bytes transmitted to the client when the log is emitted.", + "name": "bytes_read", + "type": "long" + }, + { + "description": "Total time in milliseconds spent waiting in the various queues.", + "name": "time_queue", + "type": "long" + }, + { + "description": "Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.", + "name": "time_backend_connect", + "type": "long" + }, + { + "description": "Total number of requests which were processed before this one in the server queue.", + "name": "server_queue", + "type": "long" + }, + { + "description": "Total number of requests which were processed before this one in the backend's global queue.", + "name": "backend_queue", + "type": "long" + }, + { + "description": "Name of the listening address which received the connection.", + "name": "bind_name" + }, + { + "description": "Error message logged by HAProxy in case of error.", + "name": "error_message", + "type": "text" + }, + { + "description": "The HAProxy source of the log", + "name": "source", + "type": "keyword" + }, + { + "description": "Condition the session was in when the session ended.", + "name": "termination_state" + }, + { + "description": "mode that the frontend is operating (TCP or HTTP)", + "name": "mode", + "type": "keyword" + }, + { + "description": "Contains various counts of connections active in the process.", + "fields": [ + { + "description": "Total number of concurrent connections on the process when the session was logged.", + "name": "active", + "type": "long" + }, + { + "description": "Total number of concurrent connections on the frontend when the session was logged.", + "name": "frontend", + "type": "long" + }, + { + "description": "Total number of concurrent connections handled by the backend when the session was logged.", + "name": "backend", + "type": "long" + }, + { + "description": "Total number of concurrent connections still active on the server when the session was logged.", + "name": "server", + "type": "long" + }, + { + "description": "Number of connection retries experienced by this session when trying to connect to the server.", + "name": "retries", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Information about the client doing the request", + "fields": [ + { + "migration": true, + "name": "ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "port", + "path": "source.port", + "type": "alias" + } + ], + "name": "client", + "type": "group" + }, + { + "migration": true, + "name": "process_name", + "path": "process.name", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "description": "Destination information", + "fields": [ + { + "migration": true, + "name": "port", + "path": "destination.port", + "type": "alias" + }, + { + "migration": true, + "name": "ip", + "path": "destination.ip", + "type": "alias" + } + ], + "name": "destination", + "type": "group" + }, + { + "description": "Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.\n", + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "haproxy", + "type": "group" + } + ], + "key": "haproxy", + "title": "HAProxy" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Please add description", + "fields": [ + { + "description": "Fields related to the HTTP response", + "fields": [ + { + "description": "Optional \"name=value\" entry indicating that the client had this cookie in the response.\n", + "name": "captured_cookie" + }, + { + "description": "List of headers captured in the response due to the presence of the \"capture response header\" statement in the frontend.\n", + "name": "captured_headers", + "type": "keyword" + }, + { + "migration": true, + "name": "status_code", + "path": "http.response.status_code", + "type": "alias" + } + ], + "name": "response", + "type": "group" + }, + { + "description": "Fields related to the HTTP request", + "fields": [ + { + "description": "Optional \"name=value\" entry indicating that the server has returned a cookie with its request.\n", + "name": "captured_cookie" + }, + { + "description": "List of headers captured in the request due to the presence of the \"capture request header\" statement in the frontend.\n", + "name": "captured_headers", + "type": "keyword" + }, + { + "description": "Complete HTTP request line, including the method, request and HTTP version string.", + "name": "raw_request_line", + "type": "keyword" + }, + { + "description": "Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.", + "name": "time_wait_without_data_ms", + "type": "long" + }, + { + "description": "Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.", + "name": "time_wait_ms", + "type": "long" + } + ], + "name": "request", + "type": "group" + } + ], + "name": "http", + "type": "group" + }, + { + "description": "TCP log format", + "fields": [ + { + "description": "Total time in milliseconds elapsed between the accept and the last close", + "name": "connection_waiting_time_ms", + "type": "long" + } + ], + "name": "tcp", + "type": "group" + } + ] + } + } + } + } + } + }, + "ibmmq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "errorlog": { + "enabled": true + }, + "module": "ibmmq" + } + ], + "fields.yml": [ + { + "description": "ibmmq Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "ibmmq", + "type": "group" + } + ], + "key": "ibmmq", + "release": "ga", + "title": "ibmmq" + } + ] + } + }, + "errorlog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "IBM MQ error logs", + "fields": [ + { + "description": "This is the installation name which can be given at installation time.\nEach installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.\n", + "name": "installation", + "type": "keyword" + }, + { + "description": "Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.\n", + "name": "qmgr", + "type": "keyword" + }, + { + "description": "Changing content based on error.id", + "name": "arithinsert", + "type": "keyword" + }, + { + "description": "Changing content based on error.id", + "name": "commentinsert", + "type": "keyword" + }, + { + "description": "Please add description", + "example": "Please add example", + "name": "errordescription", + "type": "text" + }, + { + "description": "Explaines the error in more detail", + "name": "explanation", + "type": "keyword" + }, + { + "description": "Defines what to do when the error occurs", + "name": "action", + "type": "keyword" + }, + { + "description": "Error code.", + "name": "code", + "type": "keyword" + } + ], + "name": "errorlog", + "type": "group" + } + ] + } + } + } + } + } + }, + "icinga": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "debug": { + "enabled": true + }, + "main": { + "enabled": true + }, + "module": "icinga", + "startup": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Icinga Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "icinga", + "type": "group" + } + ], + "key": "icinga", + "title": "Icinga" + } + ] + } + }, + "debug": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Icinga debug logs.\n", + "fields": [ + { + "description": "Specifies what component of Icinga logged the message.\n", + "name": "facility", + "type": "keyword" + }, + { + "migration": true, + "name": "severity", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "debug", + "type": "group" + } + ] + } + } + } + }, + "main": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Icinga main logs.\n", + "fields": [ + { + "description": "Specifies what component of Icinga logged the message.\n", + "name": "facility", + "type": "keyword" + }, + { + "migration": true, + "name": "severity", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "main", + "type": "group" + } + ] + } + } + } + }, + "startup": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Icinga startup logs.\n", + "fields": [ + { + "description": "Specifies what component of Icinga logged the message.\n", + "name": "facility", + "type": "keyword" + }, + { + "migration": true, + "name": "severity", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "startup", + "type": "group" + } + ] + } + } + } + } + } + }, + "iis": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "access": { + "enabled": true + }, + "error": { + "enabled": true + }, + "module": "iis" + } + ], + "fields.yml": [ + { + "description": "Module for parsing IIS log files.\n", + "fields": [ + { + "description": "Fields from IIS log files.\n", + "fields": null, + "name": "iis", + "type": "group" + } + ], + "key": "iis", + "title": "IIS" + } + ] + } + }, + "access": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for IIS access logs.\n", + "fields": [ + { + "description": "The HTTP substatus code.\n", + "name": "sub_status", + "type": "long" + }, + { + "description": "The Windows status code.\n", + "name": "win32_status", + "type": "long" + }, + { + "description": "The site name and instance number.\n", + "name": "site_name", + "type": "keyword" + }, + { + "description": "The name of the server on which the log file entry was generated.\n", + "name": "server_name", + "type": "keyword" + }, + { + "description": "The content of the cookie sent or received, if any.\n", + "name": "cookie", + "type": "keyword" + }, + { + "migration": true, + "name": "body_received.bytes", + "path": "http.request.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "server_ip", + "path": "destination.address", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.path", + "type": "alias" + }, + { + "migration": true, + "name": "query_string", + "path": "url.query", + "type": "alias" + }, + { + "migration": true, + "name": "port", + "path": "destination.port", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "remote_ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "hostname", + "path": "host.hostname", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "migration": true, + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "migration": true, + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "migration": true, + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "migration": true, + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "access", + "type": "group" + } + ] + } + } + } + }, + "error": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for IIS error logs.\n", + "fields": [ + { + "description": "The HTTP reason phrase.\n", + "name": "reason_phrase", + "type": "keyword" + }, + { + "description": "The IIS application pool name.\n", + "name": "queue_name", + "type": "keyword" + }, + { + "migration": true, + "name": "remote_ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "remote_port", + "path": "source.port", + "type": "alias" + }, + { + "migration": true, + "name": "server_ip", + "path": "destination.address", + "type": "alias" + }, + { + "migration": true, + "name": "server_port", + "path": "destination.port", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "error", + "type": "group" + } + ] + } + } + } + } + } + }, + "imperva": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "imperva", + "securesphere": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "imperva fields.\n", + "fields": null, + "key": "imperva", + "title": "Imperva SecureSphere" + } + ] + } + }, + "securesphere": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "infoblox": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "infoblox", + "nios": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "infoblox fields.\n", + "fields": null, + "key": "infoblox", + "title": "Infoblox NIOS" + } + ] + } + }, + "nios": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "iptables": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "iptables" + } + ], + "fields.yml": [ + { + "description": "Module for handling the iptables logs.\n", + "fields": [ + { + "description": "Fields from the iptables logs.\n", + "fields": null, + "name": "iptables", + "type": "group" + } + ], + "key": "iptables", + "title": "iptables" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Value of the ethernet type field identifying the network layer protocol.\n", + "name": "ether_type", + "type": "long" + }, + { + "description": "IPv6 flow label.\n", + "name": "flow_label", + "type": "integer" + }, + { + "description": "IP fragment flags. A combination of CE, DF and MF.\n", + "name": "fragment_flags", + "type": "keyword" + }, + { + "description": "Offset of the current IP fragment.\n", + "name": "fragment_offset", + "type": "long" + }, + { + "description": "ICMP fields.\n", + "fields": [ + { + "description": "ICMP code.\n", + "name": "code", + "type": "long" + }, + { + "description": "ICMP ID.\n", + "name": "id", + "type": "long" + }, + { + "description": "ICMP parameter.\n", + "name": "parameter", + "type": "long" + }, + { + "description": "ICMP redirect address.\n", + "name": "redirect", + "type": "ip" + }, + { + "description": "ICMP sequence number.\n", + "name": "seq", + "type": "long" + }, + { + "description": "ICMP type.\n", + "name": "type", + "type": "long" + } + ], + "name": "icmp", + "type": "group" + }, + { + "description": "Packet identifier.\n", + "name": "id", + "type": "long" + }, + { + "description": "Number of incomplete bytes.\n", + "name": "incomplete_bytes", + "type": "long" + }, + { + "description": "Device that received the packet.\n", + "name": "input_device", + "type": "keyword" + }, + { + "description": "IP precedence bits.\n", + "name": "precedence_bits", + "type": "short" + }, + { + "description": "IP Type of Service field.\n", + "name": "tos", + "type": "long" + }, + { + "description": "Packet length.\n", + "name": "length", + "type": "long" + }, + { + "description": "Device that output the packet.\n", + "name": "output_device", + "type": "keyword" + }, + { + "description": "TCP fields.\n", + "fields": [ + { + "description": "TCP flags.\n", + "name": "flags", + "type": "keyword" + }, + { + "description": "TCP reserved bits.\n", + "name": "reserved_bits", + "type": "short" + }, + { + "description": "TCP sequence number.\n", + "name": "seq", + "type": "long" + }, + { + "description": "TCP Acknowledgment number.\n", + "name": "ack", + "type": "long" + }, + { + "description": "Advertised TCP window size.\n", + "name": "window", + "type": "long" + } + ], + "name": "tcp", + "type": "group" + }, + { + "description": "Time To Live field.\n", + "name": "ttl", + "type": "integer" + }, + { + "description": "UDP fields.\n", + "fields": [ + { + "description": "Length of the UDP header and payload.\n", + "name": "length", + "type": "long" + } + ], + "name": "udp", + "type": "group" + }, + { + "description": "Fields for Ubiquiti network devices.\n", + "fields": [ + { + "description": "Input zone.\n", + "name": "input_zone", + "type": "keyword" + }, + { + "description": "Output zone.\n", + "name": "output_zone", + "type": "keyword" + }, + { + "description": "The rule number within the rule set.", + "name": "rule_number", + "type": "keyword" + }, + { + "description": "The rule set name.", + "name": "rule_set", + "type": "keyword" + } + ], + "name": "ubiquiti", + "type": "group" + } + ] + } + } + } + } + } + }, + "juniper": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "junos": { + "enabled": true + }, + "module": "juniper" + } + ], + "fields.yml": [ + { + "description": "juniper fields.\n", + "fields": null, + "key": "juniper", + "title": "Juniper JUNOS" + } + ] + } + }, + "junos": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "kafka": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "kafka" + } + ], + "fields.yml": [ + { + "description": "Kafka module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "kafka", + "type": "group" + } + ], + "key": "kafka", + "title": "Kafka" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kafka log lines.\n", + "fields": [ + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + }, + { + "description": "Component the log is coming from.\n", + "name": "component", + "type": "keyword" + }, + { + "description": "Java class the log is coming from.\n", + "name": "class", + "type": "keyword" + }, + { + "description": "Thread name the log is coming from.\n", + "name": "thread", + "type": "keyword" + }, + { + "description": "Trace in the log line.\n", + "fields": [ + { + "description": "Java class the trace is coming from.\n", + "name": "class", + "type": "keyword" + }, + { + "description": "Message part of the trace.\n", + "name": "message", + "type": "text" + } + ], + "name": "trace", + "type": "group" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "kibana": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "kibana" + } + ], + "fields.yml": [ + { + "description": "kibana Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "kibana", + "type": "group" + } + ], + "key": "kibana", + "title": "kibana" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kafka log lines.\n", + "fields": [ + { + "description": "Kibana logging tags.\n", + "name": "tags", + "type": "keyword" + }, + { + "description": "Current state of Kibana.\n", + "name": "state", + "type": "keyword" + }, + { + "name": "meta", + "object_type": "keyword", + "type": "object" + }, + { + "migration": true, + "name": "kibana.log.meta.req.headers.referer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.req.referer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.req.headers.user-agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.req.remoteAddress", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.req.url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.statusCode", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "kibana.log.meta.method", + "path": "http.request.method", + "type": "alias" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "logstash": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "logstash", + "slowlog": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "logstash Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "logstash", + "type": "group" + } + ], + "key": "logstash", + "title": "logstash" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from the Logstash logs.\n", + "fields": [ + { + "description": "The module or class where the event originate.\n", + "name": "module", + "type": "keyword" + }, + { + "description": "Information about the running thread where the log originate.\n", + "multi_fields": [ + { + "name": "text", + "type": "text" + } + ], + "name": "thread", + "type": "keyword" + }, + { + "description": "key and value debugging information.\n", + "name": "log_event", + "type": "object" + }, + { + "description": "The ID of the pipeline.\n", + "example": "main", + "name": "pipeline_id", + "type": "keyword" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + } + ], + "name": "log", + "title": "Logstash", + "type": "group" + } + ] + } + } + } + }, + "slowlog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "slowlog\n", + "fields": [ + { + "description": "The module or class where the event originate.\n", + "name": "module", + "type": "keyword" + }, + { + "description": "Information about the running thread where the log originate.\n", + "multi_fields": [ + { + "name": "text", + "type": "text" + } + ], + "name": "thread", + "type": "keyword" + }, + { + "description": "Raw dump of the original event\n", + "multi_fields": [ + { + "name": "text", + "type": "text" + } + ], + "name": "event", + "type": "keyword" + }, + { + "description": "Name of the plugin\n", + "name": "plugin_name", + "type": "keyword" + }, + { + "description": "Type of the plugin: Inputs, Filters, Outputs or Codecs.\n", + "name": "plugin_type", + "type": "keyword" + }, + { + "description": "Execution time for the plugin in milliseconds.\n", + "name": "took_in_millis", + "type": "long" + }, + { + "description": "String value of the plugin configuration\n", + "multi_fields": [ + { + "name": "text", + "type": "text" + } + ], + "name": "plugin_params", + "type": "keyword" + }, + { + "description": "key -> value of the configuration used by the plugin.\n", + "name": "plugin_params_object", + "type": "object" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "took_in_nanos", + "path": "event.duration", + "type": "alias" + } + ], + "name": "slowlog", + "type": "group" + } + ] + } + } + } + } + } + }, + "microsoft": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "defender_atp": { + "enabled": true + }, + "dhcp": { + "enabled": true + }, + "module": "microsoft" + } + ], + "fields.yml": [ + { + "description": "Microsoft Module\n", + "fields": null, + "key": "microsoft", + "title": "Microsoft" + } + ] + } + }, + "defender_atp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Module for ingesting Microsoft Defender ATP.\n", + "fields": [ + { + "description": "The date and time (in UTC) the alert was last updated.\n", + "name": "lastUpdateTime", + "type": "date" + }, + { + "description": "The date and time in which the status of the alert was changed to 'Resolved'.\n", + "name": "resolvedTime", + "type": "date" + }, + { + "description": "The Incident ID of the Alert.\n", + "name": "incidentId", + "type": "keyword" + }, + { + "description": "The Investigation ID related to the Alert.\n", + "name": "investigationId", + "type": "keyword" + }, + { + "description": "The current state of the Investigation.\n", + "name": "investigationState", + "type": "keyword" + }, + { + "description": "Owner of the alert.\n", + "name": "assignedTo", + "type": "keyword" + }, + { + "description": "Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.\n", + "name": "classification", + "type": "keyword" + }, + { + "description": "Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.\n", + "name": "determination", + "type": "keyword" + }, + { + "description": "Threat family.\n", + "name": "threatFamilyName", + "type": "keyword" + }, + { + "description": "User group related to the alert\n", + "name": "rbacGroupName", + "type": "keyword" + }, + { + "description": "Domain name related to the alert\n", + "name": "evidence.domainName", + "type": "keyword" + }, + { + "description": "IP address involved in the alert\n", + "name": "evidence.ipAddress", + "type": "ip" + }, + { + "description": "ID of the user involved in the alert\n", + "name": "evidence.aadUserId", + "type": "keyword" + }, + { + "description": "Username of the user involved in the alert\n", + "name": "evidence.accountName", + "type": "keyword" + }, + { + "description": "The type of evidence\n", + "name": "evidence.entityType", + "type": "keyword" + }, + { + "description": "Principal name of the user involved in the alert\n", + "name": "evidence.userPrincipalName", + "type": "keyword" + } + ], + "name": "microsoft.defender_atp", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "dhcp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "misp": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "misp", + "threat": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for handling threat information from MISP.\n", + "fields": [ + { + "description": "Fields from MISP threat information.\n", + "fields": null, + "name": "misp", + "type": "group" + } + ], + "key": "misp", + "title": "MISP" + } + ] + } + }, + "threat": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields provide support for specifying information about attack patterns.\n", + "fields": [ + { + "description": "Identifier of the threat indicator.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "Name of the attack pattern.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the attack pattern.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The kill chain phase(s) to which this attack pattern corresponds.\n", + "level": "extended", + "name": "kill_chain_phases", + "type": "keyword" + } + ], + "name": "attack_pattern", + "short": "Fields that let you store attack patterns", + "title": "Attack Pattern", + "type": "group" + }, + { + "description": "Fields provide support for specifying information about campaigns.\n", + "fields": [ + { + "description": "Identifier of the campaign.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "Name of the campaign.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the campaign.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "Alternative names used to identify this campaign.\n", + "level": "extended", + "name": "aliases", + "type": "text" + }, + { + "description": "The time that this Campaign was first seen, in RFC3339 format.\n", + "level": "core", + "name": "first_seen", + "type": "date" + }, + { + "description": "The time that this Campaign was last seen, in RFC3339 format.\n", + "level": "core", + "name": "last_seen", + "type": "date" + }, + { + "description": "This field defines the Campaign's primary goal, objective, desired outcome, or intended effect.\n", + "level": "core", + "name": "objective", + "type": "keyword" + } + ], + "name": "campaign", + "short": "Fields that let you store campaign information", + "title": "Campaign", + "type": "group" + }, + { + "description": "A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.\n", + "fields": [ + { + "description": "Identifier of the Course of Action.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The name used to identify the Course of Action.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the Course of Action.\n", + "level": "extended", + "name": "description", + "type": "text" + } + ], + "name": "course_of_action", + "short": "Fields that let you store information about course of action.", + "title": "Course of Action", + "type": "group" + }, + { + "description": "Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.\n", + "fields": [ + { + "description": "Identifier of the Identity.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The name used to identify the Identity.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the Identity.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov \n", + "level": "core", + "name": "identity_class", + "type": "keyword" + }, + { + "description": "The list of roles that this Identity performs. \n", + "example": "CEO\n", + "level": "extended", + "name": "labels", + "type": "keyword" + }, + { + "description": "The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov \n", + "level": "extended", + "name": "sectors", + "type": "keyword" + }, + { + "description": "The contact information (e-mail, phone number, etc.) for this Identity.\n", + "level": "extended", + "name": "contact_information", + "type": "text" + } + ], + "name": "identity", + "short": "Fields that let you store information about identity.", + "title": "Identity", + "type": "group" + }, + { + "description": "An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.\n", + "fields": [ + { + "description": "Identifier of the Intrusion Set.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The name used to identify the Intrusion Set.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the Intrusion Set.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "Alternative names used to identify the Intrusion Set.\n", + "level": "extended", + "name": "aliases", + "type": "text" + }, + { + "description": "The time that this Intrusion Set was first seen, in RFC3339 format.\n", + "level": "extended", + "name": "first_seen", + "type": "date" + }, + { + "description": "The time that this Intrusion Set was last seen, in RFC3339 format.\n", + "level": "extended", + "name": "last_seen", + "type": "date" + }, + { + "description": "The high level goals of this Intrusion Set, namely, what are they trying to do.\n", + "level": "extended", + "name": "goals", + "type": "text" + }, + { + "description": "This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov\n", + "level": "extended", + "name": "resource_level", + "type": "text" + }, + { + "description": "The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov\n", + "level": "extended", + "name": "primary_motivation", + "type": "text" + }, + { + "description": "The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov\n", + "level": "extended", + "name": "secondary_motivations", + "type": "text" + } + ], + "name": "intrusion_set", + "short": "Fields that let you store information about Intrusion Set.", + "title": "Intrusion Set", + "type": "group" + }, + { + "description": "Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.\n", + "fields": [ + { + "description": "Identifier of the Malware.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The name used to identify the Malware.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "Description of the Malware.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm\n", + "level": "core", + "name": "labels", + "type": "keyword" + }, + { + "description": "The list of kill chain phases for which this Malware instance can be used.\n", + "format": "string", + "level": "extended", + "name": "kill_chain_phases", + "type": "keyword" + } + ], + "name": "malware", + "short": "Fields that let you store information about Malware.", + "title": "Malware", + "type": "group" + }, + { + "description": "A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.\n", + "fields": [ + { + "description": "Identifier of the Note.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "A brief description used as a summary of the Note.\n", + "level": "extended", + "name": "summary", + "type": "keyword" + }, + { + "description": "The content of the Note.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The name of the author(s) of this Note.\n", + "level": "extended", + "name": "authors", + "type": "keyword" + }, + { + "description": "The STIX Objects (SDOs and SROs) that the note is being applied to.\n", + "level": "extended", + "name": "object_refs", + "type": "keyword" + } + ], + "name": "note", + "short": "Fields that let you store information about Malware.", + "title": "Note", + "type": "group" + }, + { + "description": "Fields provide support for specifying information about threat indicators, and related matching patterns.\n", + "fields": [ + { + "description": "list of type open-vocab that specifies the type of indicator. \n", + "example": "Domain Watchlist\n", + "level": "core", + "name": "labels", + "type": "keyword" + }, + { + "description": "Identifier of the threat indicator.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "Version of the threat indicator.\n", + "level": "core", + "name": "version", + "type": "keyword" + }, + { + "description": "Type of the threat indicator.\n", + "level": "core", + "name": "type", + "type": "keyword" + }, + { + "description": "Description of the threat indicator.\n", + "level": "core", + "name": "description", + "type": "text" + }, + { + "description": "Name of the threat feed.\n", + "level": "core", + "name": "feed", + "type": "text" + }, + { + "description": "The time from which this Indicator should be considered valuable intelligence, in RFC3339 format.\n", + "level": "core", + "name": "valid_from", + "type": "date" + }, + { + "description": "The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.\n", + "level": "core", + "name": "valid_until", + "type": "date" + }, + { + "description": "Threat severity to which this indicator corresponds.\n", + "example": "high", + "format": "string", + "level": "core", + "name": "severity", + "type": "keyword" + }, + { + "description": "Confidence level to which this indicator corresponds.\n", + "example": "high", + "level": "core", + "name": "confidence", + "type": "keyword" + }, + { + "description": "The kill chain phase(s) to which this indicator corresponds.\n", + "format": "string", + "level": "extended", + "name": "kill_chain_phases", + "type": "keyword" + }, + { + "description": "MITRE tactics to which this indicator corresponds.\n", + "example": "Initial Access", + "format": "string", + "level": "extended", + "name": "mitre_tactic", + "type": "keyword" + }, + { + "description": "MITRE techniques to which this indicator corresponds.\n", + "example": "Drive-by Compromise", + "format": "string", + "level": "extended", + "name": "mitre_technique", + "type": "keyword" + }, + { + "description": "The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. \n", + "example": "[destination:ip = '91.219.29.188/32']\n", + "level": "core", + "name": "attack_pattern", + "type": "keyword" + }, + { + "description": "The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. \n", + "example": "destination.ip: \"91.219.29.188/32\"\n", + "level": "core", + "name": "attack_pattern_kql", + "type": "keyword" + }, + { + "description": "When set to true, it specifies the absence of the attack_pattern.\n", + "level": "core", + "name": "negate", + "type": "boolean" + }, + { + "description": "Name of the intrusion set if known.\n", + "level": "extended", + "name": "intrusion_set", + "type": "keyword" + }, + { + "description": "Name of the attack campaign if known.\n", + "level": "extended", + "name": "campaign", + "type": "keyword" + }, + { + "description": "Name of the threat actor if known.\n", + "level": "extended", + "name": "threat_actor", + "type": "keyword" + } + ], + "name": "threat_indicator", + "short": "Fields that let you store Threat Indicators", + "title": "Threat Indicator", + "type": "group" + }, + { + "description": "Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.\n", + "fields": [ + { + "description": "Identifier of the Observed Data.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The beginning of the time window that the data was observed, in RFC3339 format.\n", + "level": "core", + "name": "first_observed", + "type": "date" + }, + { + "description": "The end of the time window that the data was observed, in RFC3339 format.\n", + "level": "core", + "name": "last_observed", + "type": "date" + }, + { + "description": "The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.\n", + "level": "core", + "name": "number_observed", + "type": "integer" + }, + { + "description": "A dictionary of Cyber Observable Objects that describes the single fact that was observed.\n", + "level": "core", + "name": "objects", + "type": "keyword" + } + ], + "name": "observed_data", + "short": "Fields that let you store information about Observed Data.", + "title": "Observed Data", + "type": "group" + }, + { + "description": "Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.\n", + "fields": [ + { + "description": "Identifier of the Report.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability\n", + "level": "core", + "name": "labels", + "type": "keyword" + }, + { + "description": "The name used to identify the Report.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "A description that provides more details and context about Report.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The date that this report object was officially published by the creator of this report, in RFC3339 format.\n", + "level": "extended", + "name": "published", + "type": "date" + }, + { + "description": "Specifies the STIX Objects that are referred to by this Report.\n", + "level": "core", + "name": "object_refs", + "type": "text" + } + ], + "name": "report", + "short": "Fields that let you store information about Report.", + "title": "Report", + "type": "group" + }, + { + "description": "Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.\n", + "fields": [ + { + "description": "Identifier of the Threat Actor.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist\n", + "level": "core", + "name": "labels", + "type": "keyword" + }, + { + "description": "The name used to identify this Threat Actor or Threat Actor group.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "A description that provides more details and context about the Threat Actor.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "A list of other names that this Threat Actor is believed to use.\n", + "level": "extended", + "name": "aliases", + "type": "text" + }, + { + "description": "This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author\n", + "level": "extended", + "name": "roles", + "type": "text" + }, + { + "description": "The high level goals of this Threat Actor, namely, what are they trying to do.\n", + "level": "extended", + "name": "goals", + "type": "text" + }, + { + "description": "The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator\n", + "level": "extended", + "name": "sophistication", + "type": "text" + }, + { + "description": "This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government\n", + "level": "extended", + "name": "resource_level", + "type": "text" + }, + { + "description": "The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n", + "level": "extended", + "name": "primary_motivation", + "type": "text" + }, + { + "description": "The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n", + "level": "extended", + "name": "secondary_motivations", + "type": "text" + }, + { + "description": "The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n", + "level": "extended", + "name": "personal_motivations", + "type": "text" + } + ], + "name": "threat_actor", + "short": "Fields that let you store information about Threat Actor.", + "title": "Threat Actor", + "type": "group" + }, + { + "description": "Tools are legitimate software that can be used by threat actors to perform attacks.\n", + "fields": [ + { + "description": "Identifier of the Tool.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning\n", + "level": "core", + "name": "labels", + "type": "keyword" + }, + { + "description": "The name used to identify the Tool.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "A description that provides more details and context about the Tool.\n", + "level": "extended", + "name": "description", + "type": "text" + }, + { + "description": "The version identifier associated with the Tool.\n", + "level": "extended", + "name": "tool_version", + "type": "keyword" + }, + { + "description": "The list of kill chain phases for which this Tool instance can be used.\n", + "level": "extended", + "name": "kill_chain_phases", + "type": "text" + } + ], + "name": "tool", + "short": "Fields that let you store information about Tool.", + "title": "Tool", + "type": "group" + }, + { + "description": "A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.\n", + "fields": [ + { + "description": "Identifier of the Vulnerability.\n", + "level": "core", + "name": "id", + "type": "keyword" + }, + { + "description": "The name used to identify the Vulnerability.\n", + "level": "core", + "name": "name", + "type": "keyword" + }, + { + "description": "A description that provides more details and context about the Vulnerability.\n", + "level": "extended", + "name": "description", + "type": "text" + } + ], + "name": "vulnerability", + "short": "Fields that let you store information about Vulnerability.", + "title": "Vulnerability", + "type": "group" + } + ] + } + } + } + } + } + }, + "mongodb": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "mongodb" + } + ], + "fields.yml": [ + { + "description": "Module for parsing MongoDB log files.\n", + "fields": [ + { + "description": "Fields from MongoDB logs.\n", + "fields": null, + "name": "mongodb", + "type": "group" + } + ], + "key": "mongodb", + "title": "mongodb" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields from MongoDB logs.\n", + "fields": [ + { + "description": "Functional categorization of message\n", + "example": "COMMAND", + "name": "component", + "type": "keyword" + }, + { + "description": "Context of message\n", + "example": "initandlisten", + "name": "context", + "type": "keyword" + }, + { + "migration": true, + "name": "severity", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "mssql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "mssql" + } + ], + "fields.yml": [ + { + "description": "MS SQL Filebeat Module", + "fields": [ + { + "description": "Fields from the MSSQL log files", + "fields": null, + "name": "mssql", + "type": "group" + } + ], + "key": "mssql", + "title": "mssql" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Common log fields", + "fields": [ + { + "description": "Origin of the message, usually the server but it can also be a recovery process", + "name": "origin", + "type": "keyword" + } + ], + "name": "log", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "description": "Common log fields", + "fields": [ + { + "description": "Origin of the message, usually the server but it can also be a recovery process", + "name": "origin", + "type": "keyword" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "mysql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "error": { + "enabled": true + }, + "module": "mysql", + "slowlog": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for parsing the MySQL log files.\n", + "fields": [ + { + "description": "Fields from the MySQL log files.\n", + "fields": [ + { + "description": "The connection or thread ID for the query.\n", + "name": "thread_id", + "type": "long" + } + ], + "name": "mysql", + "type": "group" + } + ], + "key": "mysql", + "short_config": true, + "title": "MySQL" + } + ] + } + }, + "error": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields from the MySQL error logs.\n", + "fields": [ + { + "migration": true, + "name": "thread_id", + "path": "mysql.thread_id", + "type": "alias" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "error", + "type": "group" + } + ] + } + } + } + }, + "slowlog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields from the MySQL slow logs.\n", + "fields": [ + { + "description": "The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.\n", + "name": "lock_time.sec", + "type": "float" + }, + { + "description": "The number of rows returned by the query.\n", + "name": "rows_sent", + "type": "long" + }, + { + "description": "The number of rows scanned by the query.\n", + "name": "rows_examined", + "type": "long" + }, + { + "description": "The number of rows modified by the query.\n", + "name": "rows_affected", + "type": "long" + }, + { + "description": "The number of bytes sent to client.\n", + "format": "bytes", + "name": "bytes_sent", + "type": "long" + }, + { + "description": "The number of bytes received from client.\n", + "format": "bytes", + "name": "bytes_received", + "type": "long" + }, + { + "description": "The slow query.\n", + "name": "query" + }, + { + "migration": true, + "name": "id", + "path": "mysql.thread_id", + "type": "alias" + }, + { + "description": "The schema where the slow query was executed.\n", + "name": "schema", + "type": "keyword" + }, + { + "description": "Current authenticated user, used to determine access privileges. Can differ from the value for user.\n", + "name": "current_user", + "type": "keyword" + }, + { + "description": "Last SQL error seen.\n", + "name": "last_errno", + "type": "keyword" + }, + { + "description": "Code of the reason if the query was killed.\n", + "name": "killed", + "type": "keyword" + }, + { + "description": "Whether the query cache was hit.\n", + "name": "query_cache_hit", + "type": "boolean" + }, + { + "description": "Whether a temporary table was used to resolve the query.\n", + "name": "tmp_table", + "type": "boolean" + }, + { + "description": "Whether the query needed temporary tables on disk.\n", + "name": "tmp_table_on_disk", + "type": "boolean" + }, + { + "description": "Number of temporary tables created for this query\n", + "name": "tmp_tables", + "type": "long" + }, + { + "description": "Number of temporary tables created on disk for this query.\n", + "name": "tmp_disk_tables", + "type": "long" + }, + { + "description": "Size of temporary tables created for this query.", + "format": "bytes", + "name": "tmp_table_sizes", + "type": "long" + }, + { + "description": "Whether filesort optimization was used.\n", + "name": "filesort", + "type": "boolean" + }, + { + "description": "Whether filesort optimization was used and it needed temporary tables on disk.\n", + "name": "filesort_on_disk", + "type": "boolean" + }, + { + "description": "Whether a priority queue was used for filesort.\n", + "name": "priority_queue", + "type": "boolean" + }, + { + "description": "Whether a full table scan was needed for the slow query.\n", + "name": "full_scan", + "type": "boolean" + }, + { + "description": "Whether a full join was needed for the slow query (no indexes were used for joins).\n", + "name": "full_join", + "type": "boolean" + }, + { + "description": "Number of merge passes executed for the query.\n", + "name": "merge_passes", + "type": "long" + }, + { + "description": "Number of merge passes that the sort algorithm has had to do.\n", + "name": "sort_merge_passes", + "type": "long" + }, + { + "description": "Number of sorts that were done using ranges. \n", + "name": "sort_range_count", + "type": "long" + }, + { + "description": "Number of sorted rows.\n", + "name": "sort_rows", + "type": "long" + }, + { + "description": "Number of sorts that were done by scanning the table.\n", + "name": "sort_scan_count", + "type": "long" + }, + { + "description": "Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.\n", + "name": "log_slow_rate_type", + "type": "keyword" + }, + { + "description": "Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.\n", + "name": "log_slow_rate_limit", + "type": "keyword" + }, + { + "description": "The number of times the first entry in an index was read.\n", + "name": "read_first", + "type": "long" + }, + { + "description": "The number of times the last key in an index was read.\n", + "name": "read_last", + "type": "long" + }, + { + "description": "The number of requests to read a row based on a key.\n", + "name": "read_key", + "type": "long" + }, + { + "description": "The number of requests to read the next row in key order.\n", + "name": "read_next", + "type": "long" + }, + { + "description": "The number of requests to read the previous row in key order.\n", + "name": "read_prev", + "type": "long" + }, + { + "description": "The number of requests to read a row based on a fixed position. \n", + "name": "read_rnd", + "type": "long" + }, + { + "description": "The number of requests to read the next row in the data file.\n", + "name": "read_rnd_next", + "type": "long" + }, + { + "description": "Contains fields relative to InnoDB engine\n", + "fields": [ + { + "description": "Transaction ID\n", + "name": "trx_id", + "type": "keyword" + }, + { + "description": "Number of page read operations.\n", + "name": "io_r_ops", + "type": "long" + }, + { + "description": "Bytes read during page read operations.\n", + "format": "bytes", + "name": "io_r_bytes", + "type": "long" + }, + { + "description": "How long it took to read all needed data from storage.\n", + "name": "io_r_wait.sec", + "type": "long" + }, + { + "description": "How long the query waited for locks.\n", + "name": "rec_lock_wait.sec", + "type": "long" + }, + { + "description": "How long the query waited to enter the InnoDB queue and to be executed once in the queue.\n", + "name": "queue_wait.sec", + "type": "long" + }, + { + "description": "Approximated count of pages accessed to execute the query.\n", + "name": "pages_distinct", + "type": "long" + } + ], + "name": "innodb", + "type": "group" + }, + { + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "host", + "path": "source.domain", + "type": "alias" + }, + { + "migration": true, + "name": "ip", + "path": "source.ip", + "type": "alias" + } + ], + "name": "slowlog", + "type": "group" + } + ] + } + } + } + } + } + }, + "nats": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "nats" + } + ], + "fields.yml": [ + { + "description": "Module for parsing NATS log files.\n", + "fields": [ + { + "description": "Fields from NATS logs.\n", + "fields": null, + "name": "nats", + "type": "group" + } + ], + "key": "nats", + "release": "beta", + "title": "NATS" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Nats log files\n", + "fields": [ + { + "description": "Fields from NATS logs client.\n", + "fields": [ + { + "description": "The id of the client\n", + "name": "id", + "type": "integer" + } + ], + "name": "client", + "type": "group" + }, + { + "description": "Fields from NATS logs message.\n", + "fields": [ + { + "description": "Size of the payload in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "The protocol message type\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Subject name this message was received on\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "The unique alphanumeric subscription ID of the subject\n", + "name": "sid", + "type": "integer" + }, + { + "description": "The inbox subject on which the publisher is listening for responses\n", + "name": "reply_to", + "type": "keyword" + }, + { + "description": "An optional number of messages to wait for before automatically unsubscribing\n", + "name": "max_messages", + "type": "integer" + }, + { + "description": "Details about the error occurred\n", + "name": "error.message", + "type": "text" + }, + { + "description": "The queue group which subscriber will join\n", + "name": "queue_group", + "type": "text" + } + ], + "name": "msg", + "type": "group" + } + ], + "name": "log", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "netflow": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true, + "var": { + "netflow_host": "localhost", + "netflow_port": 2055 + } + }, + "module": "netflow" + } + ], + "fields.yml": [ + { + "description": "Module for receiving NetFlow and IPFIX flow records over UDP. The module does not add fields beyond what the netflow input provides.\n", + "fields": null, + "key": "netflow-module", + "skipdocs": null, + "title": "NetFlow" + } + ] + } + } + } + }, + "netscout": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "netscout", + "sightline": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "netscout fields.\n", + "fields": null, + "key": "netscout", + "title": "Arbor Peakflow SP" + } + ] + } + }, + "sightline": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "nginx": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "access": { + "enabled": true + }, + "error": { + "enabled": true + }, + "ingress_controller": { + "enabled": false + }, + "module": "nginx" + } + ], + "fields.yml": [ + { + "description": "Module for parsing the Nginx log files.\n", + "fields": [ + { + "description": "Fields from the Nginx log files.\n", + "fields": null, + "name": "nginx", + "type": "group" + } + ], + "key": "nginx", + "short_config": true, + "title": "Nginx" + } + ] + } + }, + "access": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Nginx access logs.\n", + "fields": [ + { + "description": "An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.\n", + "name": "remote_ip_list", + "type": "array" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "migration": true, + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "migration": true, + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "migration": true, + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "migration": true, + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "access", + "type": "group" + } + ] + } + } + } + }, + "error": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Nginx error logs.\n", + "fields": [ + { + "description": "Connection identifier.\n", + "name": "connection_id", + "type": "long" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "tid", + "path": "process.thread.id", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "error", + "type": "group" + } + ] + } + } + } + }, + "ingress_controller": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Ingress Nginx controller access logs.\n", + "fields": [ + { + "description": "An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.\n", + "name": "remote_ip_list", + "type": "array" + }, + { + "description": "The request length (including request line, header, and request body)\n", + "format": "bytes", + "name": "http.request.length", + "type": "long" + }, + { + "description": "Time elapsed since the first bytes were read from the client\n", + "format": "duration", + "name": "http.request.time", + "type": "double" + }, + { + "description": "The name of the upstream.\n", + "name": "upstream.name", + "type": "keyword" + }, + { + "description": "The name of the alternative upstream.\n", + "name": "upstream.alternative_name", + "type": "keyword" + }, + { + "description": "The length of the response obtained from the upstream server\n", + "format": "bytes", + "name": "upstream.response.length", + "type": "long" + }, + { + "description": "The time spent on receiving the response from the upstream server as seconds with millisecond resolution\n", + "format": "duration", + "name": "upstream.response.time", + "type": "double" + }, + { + "description": "The status code of the response obtained from the upstream server\n", + "name": "upstream.response.status_code", + "type": "long" + }, + { + "description": "The randomly generated ID of the request\n", + "name": "http.request.id", + "type": "keyword" + }, + { + "description": "The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas.\n", + "name": "upstream.ip", + "type": "ip" + }, + { + "description": "The port of the upstream server.\n", + "name": "upstream.port", + "type": "long" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "migration": true, + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "migration": true, + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "migration": true, + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "migration": true, + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "ingress_controller", + "type": "group" + } + ] + } + } + } + } + } + }, + "o365": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "audit": { + "enabled": true, + "var.application_id": "", + "var.client_secret": "", + "var.tenants": [ + { + "id": "", + "name": "mytenant.onmicrosoft.com" + } + ] + }, + "module": "o365" + } + ], + "fields.yml": [ + { + "description": "Module for handling logs from Office 365.\n", + "fields": null, + "key": "o365", + "title": "Office 365" + } + ] + } + }, + "audit": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields from Office 365 Management API audit logs.\n", + "fields": [ + { + "fields": [ + { + "name": "ID", + "type": "keyword" + }, + { + "name": "Type", + "type": "keyword" + } + ], + "name": "Actor", + "type": "array" + }, + { + "name": "ActorContextId", + "type": "keyword" + }, + { + "name": "ActorIpAddress", + "type": "keyword" + }, + { + "name": "ActorUserId", + "type": "keyword" + }, + { + "name": "ActorYammerUserId", + "type": "keyword" + }, + { + "name": "AlertEntityId", + "type": "keyword" + }, + { + "name": "AlertId", + "type": "keyword" + }, + { + "name": "AlertLinks", + "type": "array" + }, + { + "name": "AlertType", + "type": "keyword" + }, + { + "name": "AppId", + "type": "keyword" + }, + { + "name": "ApplicationDisplayName", + "type": "keyword" + }, + { + "name": "ApplicationId", + "type": "keyword" + }, + { + "name": "AzureActiveDirectoryEventType", + "type": "keyword" + }, + { + "name": "ExchangeMetaData.*", + "type": "object" + }, + { + "name": "Category", + "type": "keyword" + }, + { + "name": "ClientAppId", + "type": "keyword" + }, + { + "name": "ClientInfoString", + "type": "keyword" + }, + { + "name": "ClientIP", + "type": "keyword" + }, + { + "name": "ClientIPAddress", + "type": "keyword" + }, + { + "name": "Comments", + "norms": false, + "type": "text" + }, + { + "name": "CorrelationId", + "type": "keyword" + }, + { + "name": "CreationTime", + "type": "keyword" + }, + { + "name": "CustomUniqueId", + "type": "keyword" + }, + { + "name": "Data", + "type": "keyword" + }, + { + "name": "DataType", + "type": "keyword" + }, + { + "name": "EntityType", + "type": "keyword" + }, + { + "name": "EventData", + "type": "keyword" + }, + { + "name": "EventSource", + "type": "keyword" + }, + { + "name": "ExceptionInfo.*", + "type": "object" + }, + { + "name": "ExtendedProperties.*", + "type": "object" + }, + { + "name": "ExternalAccess", + "type": "keyword" + }, + { + "name": "GroupName", + "type": "keyword" + }, + { + "name": "Id", + "type": "keyword" + }, + { + "name": "ImplicitShare", + "type": "keyword" + }, + { + "name": "IncidentId", + "type": "keyword" + }, + { + "name": "InternalLogonType", + "type": "keyword" + }, + { + "name": "InterSystemsId", + "type": "keyword" + }, + { + "name": "IntraSystemId", + "type": "keyword" + }, + { + "name": "Item.*", + "type": "object" + }, + { + "name": "Item.*.*", + "type": "object" + }, + { + "name": "ItemName", + "type": "keyword" + }, + { + "name": "ItemType", + "type": "keyword" + }, + { + "name": "ListId", + "type": "keyword" + }, + { + "name": "ListItemUniqueId", + "type": "keyword" + }, + { + "name": "LogonError", + "type": "keyword" + }, + { + "name": "LogonType", + "type": "keyword" + }, + { + "name": "LogonUserSid", + "type": "keyword" + }, + { + "name": "MailboxGuid", + "type": "keyword" + }, + { + "name": "MailboxOwnerMasterAccountSid", + "type": "keyword" + }, + { + "name": "MailboxOwnerSid", + "type": "keyword" + }, + { + "name": "MailboxOwnerUPN", + "type": "keyword" + }, + { + "name": "Members", + "type": "array" + }, + { + "name": "Members.*", + "type": "object" + }, + { + "name": "ModifiedProperties.*.*", + "type": "object" + }, + { + "name": "Name", + "type": "keyword" + }, + { + "name": "ObjectId", + "type": "keyword" + }, + { + "name": "Operation", + "type": "keyword" + }, + { + "name": "OrganizationId", + "type": "keyword" + }, + { + "name": "OrganizationName", + "type": "keyword" + }, + { + "name": "OriginatingServer", + "type": "keyword" + }, + { + "name": "Parameters.*", + "type": "object" + }, + { + "name": "PolicyDetails", + "type": "array" + }, + { + "name": "PolicyId", + "type": "keyword" + }, + { + "name": "RecordType", + "type": "keyword" + }, + { + "name": "ResultStatus", + "type": "keyword" + }, + { + "name": "SensitiveInfoDetectionIsIncluded", + "type": "keyword" + }, + { + "name": "SharePointMetaData.*", + "type": "object" + }, + { + "name": "SessionId", + "type": "keyword" + }, + { + "name": "Severity", + "type": "keyword" + }, + { + "name": "Site", + "type": "keyword" + }, + { + "name": "SiteUrl", + "type": "keyword" + }, + { + "name": "Source", + "type": "keyword" + }, + { + "name": "SourceFileExtension", + "type": "keyword" + }, + { + "name": "SourceFileName", + "type": "keyword" + }, + { + "name": "SourceRelativeUrl", + "type": "keyword" + }, + { + "name": "Status", + "type": "keyword" + }, + { + "name": "SupportTicketId", + "type": "keyword" + }, + { + "fields": [ + { + "name": "ID", + "type": "keyword" + }, + { + "name": "Type", + "type": "keyword" + } + ], + "name": "Target", + "type": "array" + }, + { + "name": "TargetContextId", + "type": "keyword" + }, + { + "name": "TargetUserOrGroupName", + "type": "keyword" + }, + { + "name": "TargetUserOrGroupType", + "type": "keyword" + }, + { + "name": "TeamName", + "type": "keyword" + }, + { + "name": "TeamGuid", + "type": "keyword" + }, + { + "name": "UniqueSharingId", + "type": "keyword" + }, + { + "name": "UserAgent", + "type": "keyword" + }, + { + "name": "UserId", + "type": "keyword" + }, + { + "name": "UserKey", + "type": "keyword" + }, + { + "name": "UserType", + "type": "keyword" + }, + { + "name": "Version", + "type": "keyword" + }, + { + "name": "WebId", + "type": "keyword" + }, + { + "name": "Workload", + "type": "keyword" + }, + { + "name": "YammerNetworkId", + "type": "keyword" + } + ], + "name": "o365.audit", + "type": "group" + } + ] + } + } + } + } + } + }, + "okta": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "okta", + "system": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for handling system logs from Okta.\n", + "fields": [ + { + "default_field": false, + "description": "Fields from Okta.\n", + "fields": null, + "name": "okta", + "type": "group" + } + ], + "key": "okta", + "title": "Okta" + } + ] + } + }, + "system": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "The unique identifier of the Okta LogEvent.\n", + "name": "uuid", + "short": "The unique identifier of the Okta LogEvent.", + "title": "UUID", + "type": "keyword" + }, + { + "description": "The type of the LogEvent.\n", + "name": "event_type", + "short": "The type of the LogEvent.", + "title": "Event Type", + "type": "keyword" + }, + { + "description": "The version of the LogEvent.\n", + "name": "version", + "short": "The version of the LogEvent.", + "title": "Version", + "type": "keyword" + }, + { + "description": "The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.\n", + "name": "severity", + "short": "The severity of the LogEvent.", + "title": "Severity", + "type": "keyword" + }, + { + "description": "The display message of the LogEvent.\n", + "name": "display_message", + "short": "The display message of the LogEvent.", + "title": "Display Message", + "type": "keyword" + }, + { + "description": "Fields that let you store information of the actor for the LogEvent.\n", + "fields": [ + { + "description": "Identifier of the actor.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Type of the actor.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Alternate identifier of the actor.\n", + "name": "alternate_id", + "type": "keyword" + }, + { + "description": "Display name of the actor.\n", + "name": "display_name", + "type": "keyword" + } + ], + "name": "actor", + "short": "Fields of the actor for the LogEvent.", + "title": "Actor", + "type": "group" + }, + { + "description": "Fields that let you store information about the client of the actor.\n", + "fields": [ + { + "description": "The IP address of the client.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Fields about the user agent information of the client.\n", + "fields": [ + { + "description": "The raw informaton of the user agent.\n", + "name": "raw_user_agent", + "type": "keyword" + }, + { + "description": "The OS informaton.\n", + "name": "os", + "type": "keyword" + }, + { + "description": "The browser informaton of the client.\n", + "name": "browser", + "type": "keyword" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "description": "The zone information of the client.\n", + "name": "zone", + "type": "keyword" + }, + { + "description": "The information of the client device.\n", + "name": "device", + "type": "keyword" + }, + { + "description": "The identifier of the client.\n", + "name": "id", + "type": "keyword" + } + ], + "name": "client", + "short": "Fields about the client of the actor.", + "title": "Client", + "type": "group" + }, + { + "description": "Fields that let you store information about the outcome.\n", + "fields": [ + { + "description": "The reason of the outcome.\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.\n", + "name": "result", + "type": "keyword" + } + ], + "name": "outcome", + "short": "Fields that let you store information about the outcome.", + "title": "Outcome of the LogEvent.", + "type": "group" + }, + { + "description": "The list of targets.\n", + "fields": [ + { + "description": "Identifier of the actor.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Type of the actor.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Alternate identifier of the actor.\n", + "name": "alternate_id", + "type": "keyword" + }, + { + "description": "Display name of the actor.\n", + "name": "display_name", + "type": "keyword" + } + ], + "name": "target", + "short": "The list of targets.", + "title": "Target", + "type": "array" + }, + { + "description": "Fields that let you store information about related transaction.\n", + "fields": [ + { + "description": "Identifier of the transaction.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The type of transaction. Must be one of \"WEB\", \"JOB\".\n", + "name": "type", + "type": "keyword" + } + ], + "name": "transaction", + "short": "Fields that let you store information about related transaction.", + "title": "Transaction", + "type": "group" + }, + { + "description": "Fields that let you store information about the debug context.\n", + "fields": [ + { + "description": "The debug data.\n", + "fields": [ + { + "description": "The fingerprint of the device.\n", + "name": "device_fingerprint", + "type": "keyword" + }, + { + "description": "The identifier of the request.\n", + "name": "request_id", + "type": "keyword" + }, + { + "description": "The request URI.\n", + "name": "request_uri", + "type": "keyword" + }, + { + "description": "Threat suspected.\n", + "name": "threat_suspected", + "type": "keyword" + }, + { + "description": "The URL.\n", + "name": "url", + "type": "keyword" + } + ], + "name": "debug_data", + "type": "group" + } + ], + "name": "debug_context", + "short": "Fields that let you store information about the debug context.", + "title": "Debug Context", + "type": "group" + }, + { + "description": "Fields that let you store information about authentication context.\n", + "fields": [ + { + "description": "The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.\n", + "name": "authentication_provider", + "type": "keyword" + }, + { + "description": "The authentication step.\n", + "name": "authentication_step", + "type": "integer" + }, + { + "description": "The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.\n", + "name": "credential_provider", + "type": "keyword" + }, + { + "description": "The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.\n", + "name": "credential_type", + "type": "keyword" + }, + { + "description": "The information about the issuer.\n", + "fields": [ + { + "description": "The identifier of the issuer.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The type of the issuer.\n", + "name": "type", + "type": "keyword" + } + ], + "name": "issuer", + "type": "array" + }, + { + "description": "The session identifer of the external session if any.\n", + "name": "external_session_id", + "type": "keyword" + }, + { + "description": "The interface used. e.g., Outlook, Office365, wsTrust\n", + "name": "interface", + "type": "keyword" + } + ], + "name": "authentication_context", + "short": "Fields that let you store information about authentication context.", + "title": "Authentication Context", + "type": "group" + }, + { + "description": "Fields that let you store information about security context.\n", + "fields": [ + { + "description": "The autonomous system.\n", + "fields": [ + { + "description": "The AS number.\n", + "name": "number", + "type": "integer" + }, + { + "description": "The organization that owns the AS number.\n", + "fields": [ + { + "description": "The organization name.\n", + "name": "name", + "type": "keyword" + } + ], + "name": "organization", + "type": "group" + } + ], + "name": "as", + "type": "group" + }, + { + "description": "The Internet Service Provider.\n", + "name": "isp", + "type": "keyword" + }, + { + "description": "The domain name.\n", + "name": "domain", + "type": "keyword" + }, + { + "description": "Whether it is a proxy or not.\n", + "name": "is_proxy", + "type": "boolean" + } + ], + "name": "security_context", + "short": "Fields that let you store information about security context.", + "title": "Security Context", + "type": "group" + }, + { + "description": "Fields that let you store information about the request, in the form of list of ip_chain.\n", + "fields": [ + { + "description": "List of ip_chain objects.\n", + "fields": [ + { + "description": "IP address.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "IP version. Must be one of V4, V6.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Source information.\n", + "name": "source", + "type": "keyword" + }, + { + "description": "Geographical information.\n", + "fields": [ + { + "description": "The city.", + "name": "city", + "type": "keyword" + }, + { + "description": "The state.", + "name": "state", + "type": "keyword" + }, + { + "description": "The postal code.", + "name": "postal_code", + "type": "keyword" + }, + { + "description": "The country.", + "name": "country", + "type": "keyword" + }, + { + "description": "Geolocation information.\n", + "name": "geolocation", + "type": "geo_point" + } + ], + "name": "geographical_context", + "type": "group" + } + ], + "name": "ip_chain", + "type": "group" + } + ], + "name": "request", + "short": "Fields that let you store information about the request.", + "title": "Request", + "type": "group" + } + ] + } + } + } + } + } + }, + "osquery": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "osquery", + "result": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Fields exported by the `osquery` module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "osquery", + "type": "group" + } + ], + "key": "osquery", + "title": "Osquery" + } + ] + } + }, + "result": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Common fields exported by the result metricset.\n", + "fields": [ + { + "description": "The name of the query that generated this event.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "For incremental data, marks whether the entry was added or removed. It can be one of \"added\", \"removed\", or \"snapshot\".\n", + "name": "action", + "type": "keyword" + }, + { + "description": "The identifier for the host on which the osquery agent is running. Normally the hostname.\n", + "name": "host_identifier", + "type": "keyword" + }, + { + "description": "Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.\n", + "name": "unix_time", + "type": "long" + }, + { + "description": "String representation of the collection time, as formatted by osquery.\n", + "name": "calendar_time", + "type": "keyword" + } + ], + "name": "result", + "type": "group" + } + ] + } + } + } + } + } + }, + "panw": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "panw", + "panos": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for Palo Alto Networks (PAN-OS)\n", + "fields": [ + { + "description": "Fields from the panw module.\n", + "fields": null, + "name": "panw", + "type": "group" + } + ], + "key": "panw", + "title": "panw" + } + ] + } + }, + "panos": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields for the Palo Alto Networks PAN-OS logs.\n", + "fields": [ + { + "description": "Name of the rule that matched this session.\n", + "name": "ruleset", + "type": "keyword" + }, + { + "description": "Fields to extend the top-level source object.\n", + "fields": [ + { + "description": "Source zone for this session.\n", + "name": "zone", + "type": "keyword" + }, + { + "description": "Source interface for this session.\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Post-NAT source address, if source NAT is performed.\n", + "fields": [ + { + "description": "Post-NAT source IP.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Post-NAT source port.\n", + "name": "port", + "type": "long" + } + ], + "name": "nat", + "type": "group" + } + ], + "name": "source", + "type": "group" + }, + { + "description": "Fields to extend the top-level destination object.\n", + "fields": [ + { + "description": "Destination zone for this session.\n", + "name": "zone", + "type": "keyword" + }, + { + "description": "Destination interface for this session.\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Post-NAT destination address, if destination NAT is performed.\n", + "fields": [ + { + "description": "Post-NAT destination IP.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Post-NAT destination port.\n", + "name": "port", + "type": "long" + } + ], + "name": "nat", + "type": "group" + } + ], + "name": "destination", + "type": "group" + }, + { + "description": "Fields to extend the top-level network object.\n", + "fields": [ + { + "description": "Packet capture ID for a threat.\n", + "name": "pcap_id", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Community ID flow-hash for the NAT 5-tuple.\n", + "name": "community_id", + "type": "keyword" + } + ], + "name": "nat", + "type": "group" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "Fields to extend the top-level file object.\n", + "fields": [ + { + "description": "Binary hash for a threat file sent to be analyzed by the WildFire service.\n", + "name": "hash", + "type": "keyword" + } + ], + "name": "file", + "type": "group" + }, + { + "description": "Fields to extend the top-level url object.\n", + "fields": [ + { + "description": "For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.\n", + "name": "category", + "type": "keyword" + } + ], + "name": "url", + "type": "group" + }, + { + "description": "Internal numeric identifier for each session.\n", + "name": "flow_id", + "type": "keyword" + }, + { + "description": "Log entry identifier that is incremented sequentially. Unique for each log type.\n", + "name": "sequence_number", + "type": "long" + }, + { + "description": "URL or file name for a threat.\n", + "name": "threat.resource", + "type": "keyword" + }, + { + "description": "Palo Alto Networks identifier for the threat.\n", + "name": "threat.id", + "type": "keyword" + }, + { + "description": "Palo Alto Networks name for the threat.\n", + "name": "threat.name", + "type": "keyword" + }, + { + "description": "Action taken for the session.", + "name": "action", + "type": "keyword" + } + ], + "name": "panos", + "type": "group" + } + ] + } + } + } + } + } + }, + "postgresql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "postgresql" + } + ], + "fields.yml": [ + { + "description": "Module for parsing the PostgreSQL log files.\n", + "fields": [ + { + "description": "Fields from PostgreSQL logs.\n", + "fields": null, + "name": "postgresql", + "type": "group" + } + ], + "key": "postgresql", + "short_config": true, + "title": "PostgreSQL" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from the PostgreSQL log files.\n", + "fields": [ + { + "deprecated": "7.3.0", + "description": "The timestamp from the log line.\n", + "name": "timestamp" + }, + { + "description": "Core id\n", + "name": "core_id", + "type": "long" + }, + { + "description": "Name of database\n", + "example": "mydb", + "name": "database" + }, + { + "description": "Query statement.\n", + "example": "SELECT * FROM users;", + "name": "query" + }, + { + "description": "Statement step when using extended query protocol (one of statement, parse, bind or execute)\n", + "example": "parse", + "name": "query_step" + }, + { + "description": "Name given to a query when using extended query protocol. If it is \"\", or not present, this field is ignored.\n", + "example": "pdo_stmt_00000001", + "name": "query_name" + }, + { + "description": "Error code returned by Postgres (if any)", + "name": "error.code", + "type": "long" + }, + { + "migration": true, + "name": "timezone", + "path": "event.timezone", + "type": "alias" + }, + { + "migration": true, + "name": "thread_id", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "rabbitmq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "rabbitmq" + } + ], + "fields.yml": [ + { + "description": "RabbitMQ Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "rabbitmq", + "type": "group" + } + ], + "key": "rabbitmq", + "title": "RabbitMQ" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "RabbitMQ log files\n", + "fields": [ + { + "description": "The Erlang process id", + "example": "<0.222.0>", + "name": "pid", + "type": "keyword" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + } + } + }, + "radware": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "defensepro": { + "enabled": true + }, + "module": "radware" + } + ], + "fields.yml": [ + { + "description": "radware fields.\n", + "fields": null, + "key": "radware", + "title": "Radware DefensePro" + } + ] + } + }, + "defensepro": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "redis": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "redis", + "slowlog": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Redis Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "redis", + "type": "group" + } + ], + "key": "redis", + "title": "Redis" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Redis log files\n", + "fields": [ + { + "description": "The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.\n", + "name": "role", + "type": "keyword" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "level", + "path": "log.level", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "log", + "type": "group" + } + ] + } + } + } + }, + "slowlog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Slow logs are retrieved from Redis via a network connection.\n", + "fields": [ + { + "description": "The command executed.\n", + "name": "cmd", + "type": "keyword" + }, + { + "description": "How long it took to execute the command in microseconds.\n", + "name": "duration.us", + "type": "long" + }, + { + "description": "The ID of the query.\n", + "name": "id", + "type": "long" + }, + { + "description": "The key on which the command was executed.\n", + "name": "key", + "type": "keyword" + }, + { + "description": "The arguments with which the command was called.\n", + "name": "args", + "type": "keyword" + } + ], + "name": "slowlog", + "type": "group" + } + ] + } + } + } + } + } + }, + "santa": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "santa" + } + ], + "fields.yml": [ + { + "description": "Santa Module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Action", + "example": "EXEC", + "name": "action", + "type": "keyword" + }, + { + "description": "Decision that santad took.", + "example": "ALLOW", + "name": "decision", + "type": "keyword" + }, + { + "description": "Reason for the decsision.", + "example": "CERT", + "name": "reason", + "type": "keyword" + }, + { + "description": "Operating mode of Santa.", + "example": "M", + "name": "mode", + "type": "keyword" + }, + { + "description": "Fields for DISKAPPEAR actions.", + "fields": [ + { + "description": "The volume name.", + "name": "volume" + }, + { + "description": "The disk bus protocol.", + "name": "bus" + }, + { + "description": "The disk serial number.", + "name": "serial" + }, + { + "description": "The disk BSD name.", + "example": "disk1s3", + "name": "bsdname" + }, + { + "description": "The disk model.", + "example": "APPLE SSD SM0512L", + "name": "model" + }, + { + "description": "The disk volume kind (filesystem type).", + "example": "apfs", + "name": "fs" + }, + { + "description": "The disk volume path.", + "name": "mount" + } + ], + "name": "disk", + "type": "group" + }, + { + "description": "Common name from code signing certificate.", + "name": "certificate.common_name", + "type": "keyword" + }, + { + "description": "SHA256 hash of code signing certificate.", + "name": "certificate.sha256", + "type": "keyword" + } + ], + "name": "santa", + "type": "group" + } + ], + "key": "santa", + "title": "Google Santa" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + } + } + } + } + }, + "sonicwall": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "firewall": { + "enabled": true + }, + "module": "sonicwall" + } + ], + "fields.yml": [ + { + "description": "sonicwall fields.\n", + "fields": null, + "key": "sonicwall", + "title": "Sonicwall-FW" + } + ] + } + }, + "firewall": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "sophos": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "sophos", + "xg": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "sophos Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "sophos", + "type": "group" + } + ], + "key": "sophos", + "title": "sophos" + } + ] + } + }, + "xg": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Module for parsing sophosxg syslog.\n", + "fields": [ + { + "description": "device\n", + "name": "device", + "type": "keyword" + }, + { + "description": "Date (yyyy-mm-dd) when the event occurred\n", + "name": "date", + "type": "date" + }, + { + "description": "Time (hh:mm:ss) when the event occurred\n", + "name": "timezone", + "type": "keyword" + }, + { + "description": "Model number of the device\n", + "name": "device_name", + "type": "keyword" + }, + { + "description": "Serial number of the device\n", + "name": "device_id", + "type": "keyword" + }, + { + "description": "Unique 12 characters code (0101011)\n", + "name": "log_id", + "type": "keyword" + }, + { + "description": "Type of event e.g. firewall event\n", + "name": "log_type", + "type": "keyword" + }, + { + "description": "Component responsible for logging e.g. Firewall rule\n", + "name": "log_component", + "type": "keyword" + }, + { + "description": "Sub type of event\n", + "name": "log_subtype", + "type": "keyword" + }, + { + "description": "Heartbeat status\n", + "name": "hb_health", + "type": "keyword" + }, + { + "description": "Severity level of traffic\n", + "name": "priority", + "type": "keyword" + }, + { + "description": "Ultimate status of traffic \u2013 Allowed or Denied\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Durability of traffic (seconds)\n", + "name": "duration", + "type": "long" + }, + { + "description": "Firewall Rule ID which is applied on the traffic\n", + "name": "fw_rule_id", + "type": "integer" + }, + { + "description": "user_name\n", + "name": "user_name", + "type": "keyword" + }, + { + "description": "Group name to which the user belongs\n", + "name": "user_group", + "type": "keyword" + }, + { + "description": "Internet Access policy ID applied on the traffic\n", + "name": "iap", + "type": "keyword" + }, + { + "description": "IPS policy ID applied on the traffic\n", + "name": "ips_policy_id", + "type": "integer" + }, + { + "description": "Policy type applied to the traffic\n", + "name": "policy_type", + "type": "keyword" + }, + { + "description": "Application Filter policy applied on the traffic\n", + "name": "appfilter_policy_id", + "type": "integer" + }, + { + "description": "Application Filter policy applied on the traffic\n", + "name": "application_filter_policy", + "type": "integer" + }, + { + "description": "Application name\n", + "name": "application", + "type": "keyword" + }, + { + "description": "Application name\n", + "name": "application_name", + "type": "keyword" + }, + { + "description": "Risk level assigned to the application\n", + "name": "application_risk", + "type": "keyword" + }, + { + "description": "Technology of the application\n", + "name": "application_technology", + "type": "keyword" + }, + { + "description": "Application is resolved by signature or synchronized application\n", + "name": "application_category", + "type": "keyword" + }, + { + "description": "Technology of the application\n", + "name": "appresolvedby", + "type": "keyword" + }, + { + "description": "Application is Cloud\n", + "name": "app_is_cloud", + "type": "keyword" + }, + { + "description": "Interface for incoming traffic, e.g., Port A\n", + "name": "in_interface", + "type": "keyword" + }, + { + "description": "Interface for outgoing traffic, e.g., Port B\n", + "name": "out_interface", + "type": "keyword" + }, + { + "description": "Original source IP address of traffic\n", + "name": "src_ip", + "type": "ip" + }, + { + "description": "Original source MAC address of traffic\n", + "name": "src_mac", + "type": "keyword" + }, + { + "description": "Code of the country to which the source IP belongs\n", + "name": "src_country_code", + "type": "keyword" + }, + { + "description": "Original destination IP address of traffic\n", + "name": "dst_ip", + "type": "ip" + }, + { + "description": "Code of the country to which the destination IP belongs\n", + "name": "dst_country_code", + "type": "keyword" + }, + { + "description": "Protocol number of traffic\n", + "name": "protocol", + "type": "keyword" + }, + { + "description": "Original source port of TCP and UDP traffic\n", + "name": "src_port", + "type": "integer" + }, + { + "description": "Original destination port of TCP and UDP traffic\n", + "name": "dst_port", + "type": "integer" + }, + { + "description": "ICMP type of ICMP traffic\n", + "name": "icmp_type", + "type": "keyword" + }, + { + "description": "ICMP code of ICMP traffic\n", + "name": "icmp_code", + "type": "keyword" + }, + { + "description": "Total number of packets sent\n", + "name": "sent_pkts", + "type": "long" + }, + { + "description": "Total number of packets received\n", + "name": "received_pkts", + "type": "long" + }, + { + "description": "Total number of bytes sent\n", + "name": "sent_bytes", + "type": "long" + }, + { + "description": "Total number of bytes received\n", + "name": "recv_bytes", + "type": "long" + }, + { + "description": "Translated source IP address for outgoing traffic\n", + "name": "trans_src_ ip", + "type": "ip" + }, + { + "description": "Translated source port for outgoing traffic\n", + "name": "trans_src_port", + "type": "integer" + }, + { + "description": "Translated destination IP address for outgoing traffic\n", + "name": "trans_dst_ip", + "type": "ip" + }, + { + "description": "Translated destination port for outgoing traffic\n", + "name": "trans_dst_port", + "type": "integer" + }, + { + "description": "Type of source zone, e.g., LAN\n", + "name": "srczonetype", + "type": "keyword" + }, + { + "description": "Name of source zone\n", + "name": "srczone", + "type": "keyword" + }, + { + "description": "Type of destination zone, e.g., WAN\n", + "name": "dstzonetype", + "type": "keyword" + }, + { + "description": "Name of destination zone\n", + "name": "dstzone", + "type": "keyword" + }, + { + "description": "TPacket direction. Possible values:\u201corg\u201d, \u201creply\u201d, \u201c\u201d\n", + "name": "dir_disp", + "type": "keyword" + }, + { + "description": "Event on which this log is generated\n", + "name": "connevent", + "type": "keyword" + }, + { + "description": "Unique identifier of connection\n", + "name": "conn_id", + "type": "integer" + }, + { + "description": "Connection ID of the master connection\n", + "name": "vconn_id", + "type": "integer" + }, + { + "description": "IPS policy ID which is applied on the traffic\n", + "name": "idp_policy_id", + "type": "integer" + }, + { + "description": "IPS policy name i.e. IPS policy name which is applied on the traffic\n", + "name": "idp_policy_name", + "type": "keyword" + }, + { + "description": "Signature ID\n", + "name": "signature_id", + "type": "keyword" + }, + { + "description": "Signature messsage\n", + "name": "signature_msg", + "type": "keyword" + }, + { + "description": "Signature classification\n", + "name": "classification", + "type": "keyword" + }, + { + "description": "Priority of IPS policy\n", + "name": "rule_priority", + "type": "keyword" + }, + { + "description": "Platform of the traffic.\n", + "name": "platform", + "type": "keyword" + }, + { + "description": "IPS signature category.\n", + "name": "category", + "type": "keyword" + }, + { + "description": "Platform of the traffic.\n", + "name": "target", + "type": "keyword" + }, + { + "description": "ATP Evenet ID\n", + "name": "eventid", + "type": "keyword" + }, + { + "description": "Endpoint UUID\n", + "name": "ep_uuid", + "type": "keyword" + }, + { + "description": "ATP threatname\n", + "name": "threatname", + "type": "keyword" + }, + { + "description": "Original source IP address of traffic\n", + "name": "sourceip", + "type": "ip" + }, + { + "description": "Original destination IP address of traffic\n", + "name": "destinationip", + "type": "ip" + }, + { + "description": "ATP login user\n", + "name": "login_user", + "type": "keyword" + }, + { + "description": "ATP event type\n", + "name": "eventtype", + "type": "keyword" + }, + { + "description": "ATP execution path\n", + "name": "execution_path", + "type": "keyword" + }, + { + "description": "Malware scanning policy name which is applied on the traffic\n", + "name": "av_policy_name", + "type": "keyword" + }, + { + "description": "Sender email address\n", + "name": "from_email_address", + "type": "keyword" + }, + { + "description": "Receipeint email address\n", + "name": "to_email_address", + "type": "keyword" + }, + { + "description": "Email subject\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "mailsize\n", + "name": "mailsize", + "type": "integer" + }, + { + "description": "virus name\n", + "name": "virus", + "type": "keyword" + }, + { + "description": "FTP URL from which virus was downloaded\n", + "name": "FTP_url", + "type": "keyword" + }, + { + "description": "Direction of FTP transfer: Upload or Download\n", + "name": "FTP_direction", + "type": "keyword" + }, + { + "description": "Size of the file that contained virus\n", + "name": "filesize", + "type": "integer" + }, + { + "description": "Path of the file containing virus\n", + "name": "filepath", + "type": "keyword" + }, + { + "description": "File name associated with the event\n", + "name": "filename", + "type": "keyword" + }, + { + "description": "FTP command used when virus was found\n", + "name": "ftpcommand", + "type": "keyword" + }, + { + "description": "URL from which virus was downloaded\n", + "name": "url", + "type": "keyword" + }, + { + "description": "Domain from which virus was downloaded\n", + "name": "domainname", + "type": "keyword" + }, + { + "description": "Path and filename of the file quarantined\n", + "name": "quarantine", + "type": "keyword" + }, + { + "description": "Sender domain name\n", + "name": "src_domainname", + "type": "keyword" + }, + { + "description": "Receiver domain name\n", + "name": "dst_domainname", + "type": "keyword" + }, + { + "description": "Reason why the record was detected as spam/malicious\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "Referer\n", + "name": "referer", + "type": "keyword" + }, + { + "description": "Spam Action\n", + "name": "spamaction", + "type": "keyword" + }, + { + "description": "mailid\n", + "name": "mailid", + "type": "keyword" + }, + { + "description": "Quarantine reason\n", + "name": "quarantine_reason", + "type": "keyword" + }, + { + "description": "Status code\n", + "name": "status_code", + "type": "keyword" + }, + { + "description": "Override token\n", + "name": "override_token", + "type": "keyword" + }, + { + "description": "Unique identifier of connection\n", + "name": "con_id", + "type": "integer" + }, + { + "description": "Override authorizer\n", + "name": "override_authorizer", + "type": "keyword" + }, + { + "description": "Transaction ID of the AV scan.\n", + "name": "transactionid", + "type": "keyword" + }, + { + "description": "Upload file type\n", + "name": "upload_file_type", + "type": "keyword" + }, + { + "description": "Upload file name\n", + "name": "upload_file_name", + "type": "keyword" + }, + { + "description": "code of HTTP response\n", + "name": "httpresponsecode", + "type": "long" + }, + { + "description": "Group name to which the user belongs.\n", + "name": "user_gp", + "type": "keyword" + }, + { + "description": "Type of category under which website falls\n", + "name": "category_type", + "type": "keyword" + }, + { + "description": "Download file type\n", + "name": "download_file_type", + "type": "keyword" + }, + { + "description": "List of the checks excluded by web exceptions.\n", + "name": "exceptions", + "type": "keyword" + }, + { + "description": "Type of the content\n", + "name": "contenttype", + "type": "keyword" + }, + { + "description": "Override name\n", + "name": "override_name", + "type": "keyword" + }, + { + "description": "Web policy activity that matched and caused the policy result.\n", + "name": "activityname", + "type": "keyword" + }, + { + "description": "Download file name\n", + "name": "download_file_name", + "type": "keyword" + }, + { + "description": "SHA1 checksum of the item being analyzed\n", + "name": "sha1sum", + "type": "keyword" + }, + { + "description": "Message ID\n", + "name": "message_id", + "type": "keyword" + }, + { + "description": "Connection ID\n", + "name": "connid", + "type": "keyword" + }, + { + "description": "Message\n", + "name": "message", + "type": "keyword" + }, + { + "description": "Email Subject\n", + "name": "email_subject", + "type": "keyword" + }, + { + "description": "File path\n", + "name": "file_path", + "type": "keyword" + }, + { + "description": "Destination Domain\n", + "name": "dstdomain", + "type": "keyword" + }, + { + "description": "File Size\n", + "name": "file_size", + "type": "integer" + }, + { + "description": "Transaction ID\n", + "name": "transaction_id", + "type": "keyword" + }, + { + "description": "Website\n", + "name": "website", + "type": "keyword" + }, + { + "description": "Filename\n", + "name": "file_name", + "type": "keyword" + }, + { + "description": "Content Prefix\n", + "name": "context_prefix", + "type": "keyword" + }, + { + "description": "Site Category\n", + "name": "site_category", + "type": "keyword" + }, + { + "description": "Context Suffix\n", + "name": "context_suffix", + "type": "keyword" + }, + { + "description": "Dictionary Name\n", + "name": "dictionary_name", + "type": "keyword" + }, + { + "description": "Event Action\n", + "name": "action", + "type": "keyword" + }, + { + "description": "User\n", + "name": "user", + "type": "keyword" + }, + { + "description": "Context Match\n", + "name": "context_match", + "type": "keyword" + }, + { + "description": "Direction\n", + "name": "direction", + "type": "keyword" + }, + { + "description": "Auth Client\n", + "name": "auth_client", + "type": "keyword" + }, + { + "description": "Auth mechanism\n", + "name": "auth_mechanism", + "type": "keyword" + }, + { + "description": "Connectionname\n", + "name": "connectionname", + "type": "keyword" + }, + { + "description": "remotenetwork\n", + "name": "remotenetwork", + "type": "keyword" + }, + { + "description": "Localgateway\n", + "name": "localgateway", + "type": "keyword" + }, + { + "description": "Localnetwork\n", + "name": "localnetwork", + "type": "keyword" + }, + { + "description": "Connectiontype\n", + "name": "connectiontype", + "type": "keyword" + }, + { + "description": "Oldversion\n", + "name": "oldversion", + "type": "keyword" + }, + { + "description": "Newversion\n", + "name": "newversion", + "type": "keyword" + }, + { + "description": "Ipaddress\n", + "name": "ipaddress", + "type": "keyword" + }, + { + "description": "Client physical address\n", + "name": "client_physical_address", + "type": "keyword" + }, + { + "description": "Client host name\n", + "name": "client_host_name", + "type": "keyword" + }, + { + "description": "Raw data\n", + "name": "raw_data", + "type": "keyword" + }, + { + "description": "Mode\n", + "name": "Mode", + "type": "keyword" + }, + { + "description": "Sessionid\n", + "name": "sessionid", + "type": "keyword" + }, + { + "description": "Starttime\n", + "name": "starttime", + "type": "date" + }, + { + "description": "Remote IP\n", + "name": "remote_ip", + "type": "ip" + }, + { + "description": "timestamp\n", + "name": "timestamp", + "type": "date" + }, + { + "description": "SysLog SERVER NAME\n", + "name": "SysLog_SERVER_NAME", + "type": "keyword" + }, + { + "description": "Backup mode\n", + "name": "backup_mode", + "type": "keyword" + }, + { + "description": "Source\n", + "name": "source", + "type": "keyword" + }, + { + "description": "Server\n", + "name": "server", + "type": "keyword" + }, + { + "description": "Host\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Responsetime\n", + "name": "responsetime", + "type": "long" + }, + { + "description": "cookie\n", + "name": "cookie", + "type": "keyword" + }, + { + "description": "querystring\n", + "name": "querystring", + "type": "keyword" + }, + { + "description": "extra\n", + "name": "extra", + "type": "keyword" + }, + { + "description": "PHPSESSID\n", + "name": "PHPSESSID", + "type": "keyword" + }, + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "Event time\n", + "name": "eventtime", + "type": "date" + }, + { + "description": "RED ID\n", + "name": "red_id", + "type": "keyword" + }, + { + "description": "Branch Name\n", + "name": "branch_name", + "type": "keyword" + }, + { + "description": "updatedip\n", + "name": "updatedip", + "type": "ip" + }, + { + "description": "idle ##\n", + "name": "idle_cpu", + "type": "float" + }, + { + "description": "system\n", + "name": "system_cpu", + "type": "float" + }, + { + "description": "system\n", + "name": "user_cpu", + "type": "float" + }, + { + "description": "used\n", + "name": "used", + "type": "integer" + }, + { + "description": "unit\n", + "name": "unit", + "type": "keyword" + }, + { + "description": "Total Memory\n", + "name": "total_memory", + "type": "integer" + }, + { + "description": "free\n", + "name": "free", + "type": "integer" + }, + { + "description": "transmitted errors\n", + "name": "transmittederrors", + "type": "keyword" + }, + { + "description": "received errors\n", + "name": "receivederrors", + "type": "keyword" + }, + { + "description": "received kbits\n", + "name": "receivedkbits", + "type": "long" + }, + { + "description": "transmitted kbits\n", + "name": "transmittedkbits", + "type": "long" + }, + { + "description": "transmitted drops\n", + "name": "transmitteddrops", + "type": "long" + }, + { + "description": "received drops\n", + "name": "receiveddrops", + "type": "long" + }, + { + "description": "collisions\n", + "name": "collisions", + "type": "long" + }, + { + "description": "interface\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Configuration\n", + "name": "Configuration", + "type": "float" + }, + { + "description": "Reports\n", + "name": "Reports", + "type": "float" + }, + { + "description": "Signature\n", + "name": "Signature", + "type": "float" + }, + { + "description": "Temp\n", + "name": "Temp", + "type": "float" + }, + { + "description": "users\n", + "name": "users", + "type": "keyword" + }, + { + "description": "ssid\n", + "name": "ssid", + "type": "keyword" + }, + { + "description": "ap\n", + "name": "ap", + "type": "keyword" + }, + { + "description": "clients connection ssid\n", + "name": "clients_conn_ssid", + "type": "keyword" + } + ], + "name": "xg", + "release": "beta", + "type": "group" + } + ] + } + }, + "config": { + "files": { + "config.yml": [ + { + "default_field": false, + "description": "Module for parsing sophosxg syslog.\n", + "fields": [ + { + "description": "device\n", + "name": "device", + "type": "keyword" + }, + { + "description": "Date (yyyy-mm-dd) when the event occurred\n", + "name": "date", + "type": "date" + }, + { + "description": "Time (hh:mm:ss) when the event occurred\n", + "name": "timezone", + "type": "keyword" + }, + { + "description": "Model number of the device\n", + "name": "device_name", + "type": "keyword" + }, + { + "description": "Serial number of the device\n", + "name": "device_id", + "type": "keyword" + }, + { + "description": "Unique 12 characters code (0101011)\n", + "name": "log_id", + "type": "keyword" + }, + { + "description": "Type of event e.g. firewall event\n", + "name": "log_type", + "type": "keyword" + }, + { + "description": "Component responsible for logging e.g. Firewall rule\n", + "name": "log_component", + "type": "keyword" + }, + { + "description": "Sub type of event\n", + "name": "log_subtype", + "type": "keyword" + }, + { + "description": "Heartbeat status\n", + "name": "hb_health", + "type": "keyword" + }, + { + "description": "Severity level of traffic\n", + "name": "priority", + "type": "keyword" + }, + { + "description": "Ultimate status of traffic \u2013 Allowed or Denied\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Durability of traffic (seconds)\n", + "name": "duration", + "type": "long" + }, + { + "description": "Firewall Rule ID which is applied on the traffic\n", + "name": "fw_rule_id", + "type": "integer" + }, + { + "description": "user_name\n", + "name": "user_name", + "type": "keyword" + }, + { + "description": "Group name to which the user belongs\n", + "name": "user_group", + "type": "keyword" + }, + { + "description": "Internet Access policy ID applied on the traffic\n", + "name": "iap", + "type": "keyword" + }, + { + "description": "IPS policy ID applied on the traffic\n", + "name": "ips_policy_id", + "type": "integer" + }, + { + "description": "Policy type applied to the traffic\n", + "name": "policy_type", + "type": "keyword" + }, + { + "description": "Application Filter policy applied on the traffic\n", + "name": "appfilter_policy_id", + "type": "integer" + }, + { + "description": "Application Filter policy applied on the traffic\n", + "name": "application_filter_policy", + "type": "integer" + }, + { + "description": "Application name\n", + "name": "application", + "type": "keyword" + }, + { + "description": "Application name\n", + "name": "application_name", + "type": "keyword" + }, + { + "description": "Risk level assigned to the application\n", + "name": "application_risk", + "type": "keyword" + }, + { + "description": "Technology of the application\n", + "name": "application_technology", + "type": "keyword" + }, + { + "description": "Application is resolved by signature or synchronized application\n", + "name": "application_category", + "type": "keyword" + }, + { + "description": "Technology of the application\n", + "name": "appresolvedby", + "type": "keyword" + }, + { + "description": "Application is Cloud\n", + "name": "app_is_cloud", + "type": "keyword" + }, + { + "description": "Interface for incoming traffic, e.g., Port A\n", + "name": "in_interface", + "type": "keyword" + }, + { + "description": "Interface for outgoing traffic, e.g., Port B\n", + "name": "out_interface", + "type": "keyword" + }, + { + "description": "Original source IP address of traffic\n", + "name": "src_ip", + "type": "ip" + }, + { + "description": "Original source MAC address of traffic\n", + "name": "src_mac", + "type": "keyword" + }, + { + "description": "Code of the country to which the source IP belongs\n", + "name": "src_country_code", + "type": "keyword" + }, + { + "description": "Original destination IP address of traffic\n", + "name": "dst_ip", + "type": "ip" + }, + { + "description": "Code of the country to which the destination IP belongs\n", + "name": "dst_country_code", + "type": "keyword" + }, + { + "description": "Protocol number of traffic\n", + "name": "protocol", + "type": "keyword" + }, + { + "description": "Original source port of TCP and UDP traffic\n", + "name": "src_port", + "type": "integer" + }, + { + "description": "Original destination port of TCP and UDP traffic\n", + "name": "dst_port", + "type": "integer" + }, + { + "description": "ICMP type of ICMP traffic\n", + "name": "icmp_type", + "type": "keyword" + }, + { + "description": "ICMP code of ICMP traffic\n", + "name": "icmp_code", + "type": "keyword" + }, + { + "description": "Total number of packets sent\n", + "name": "sent_pkts", + "type": "long" + }, + { + "description": "Total number of packets received\n", + "name": "received_pkts", + "type": "long" + }, + { + "description": "Total number of bytes sent\n", + "name": "sent_bytes", + "type": "long" + }, + { + "description": "Total number of bytes received\n", + "name": "recv_bytes", + "type": "long" + }, + { + "description": "Translated source IP address for outgoing traffic\n", + "name": "trans_src_ ip", + "type": "ip" + }, + { + "description": "Translated source port for outgoing traffic\n", + "name": "trans_src_port", + "type": "integer" + }, + { + "description": "Translated destination IP address for outgoing traffic\n", + "name": "trans_dst_ip", + "type": "ip" + }, + { + "description": "Translated destination port for outgoing traffic\n", + "name": "trans_dst_port", + "type": "integer" + }, + { + "description": "Type of source zone, e.g., LAN\n", + "name": "srczonetype", + "type": "keyword" + }, + { + "description": "Name of source zone\n", + "name": "srczone", + "type": "keyword" + }, + { + "description": "Type of destination zone, e.g., WAN\n", + "name": "dstzonetype", + "type": "keyword" + }, + { + "description": "Name of destination zone\n", + "name": "dstzone", + "type": "keyword" + }, + { + "description": "TPacket direction. Possible values:\u201corg\u201d, \u201creply\u201d, \u201c\u201d\n", + "name": "dir_disp", + "type": "keyword" + }, + { + "description": "Event on which this log is generated\n", + "name": "connevent", + "type": "keyword" + }, + { + "description": "Unique identifier of connection\n", + "name": "conn_id", + "type": "integer" + }, + { + "description": "Connection ID of the master connection\n", + "name": "vconn_id", + "type": "integer" + }, + { + "description": "IPS policy ID which is applied on the traffic\n", + "name": "idp_policy_id", + "type": "integer" + }, + { + "description": "IPS policy name i.e. IPS policy name which is applied on the traffic\n", + "name": "idp_policy_name", + "type": "keyword" + }, + { + "description": "Signature ID\n", + "name": "signature_id", + "type": "keyword" + }, + { + "description": "Signature messsage\n", + "name": "signature_msg", + "type": "keyword" + }, + { + "description": "Signature classification\n", + "name": "classification", + "type": "keyword" + }, + { + "description": "Priority of IPS policy\n", + "name": "rule_priority", + "type": "keyword" + }, + { + "description": "Platform of the traffic.\n", + "name": "platform", + "type": "keyword" + }, + { + "description": "IPS signature category.\n", + "name": "category", + "type": "keyword" + }, + { + "description": "Platform of the traffic.\n", + "name": "target", + "type": "keyword" + }, + { + "description": "ATP Evenet ID\n", + "name": "eventid", + "type": "keyword" + }, + { + "description": "Endpoint UUID\n", + "name": "ep_uuid", + "type": "keyword" + }, + { + "description": "ATP threatname\n", + "name": "threatname", + "type": "keyword" + }, + { + "description": "Original source IP address of traffic\n", + "name": "sourceip", + "type": "ip" + }, + { + "description": "Original destination IP address of traffic\n", + "name": "destinationip", + "type": "ip" + }, + { + "description": "ATP login user\n", + "name": "login_user", + "type": "keyword" + }, + { + "description": "ATP event type\n", + "name": "eventtype", + "type": "keyword" + }, + { + "description": "ATP execution path\n", + "name": "execution_path", + "type": "keyword" + }, + { + "description": "Malware scanning policy name which is applied on the traffic\n", + "name": "av_policy_name", + "type": "keyword" + }, + { + "description": "Sender email address\n", + "name": "from_email_address", + "type": "keyword" + }, + { + "description": "Receipeint email address\n", + "name": "to_email_address", + "type": "keyword" + }, + { + "description": "Email subject\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "mailsize\n", + "name": "mailsize", + "type": "integer" + }, + { + "description": "virus name\n", + "name": "virus", + "type": "keyword" + }, + { + "description": "FTP URL from which virus was downloaded\n", + "name": "FTP_url", + "type": "keyword" + }, + { + "description": "Direction of FTP transfer: Upload or Download\n", + "name": "FTP_direction", + "type": "keyword" + }, + { + "description": "Size of the file that contained virus\n", + "name": "filesize", + "type": "integer" + }, + { + "description": "Path of the file containing virus\n", + "name": "filepath", + "type": "keyword" + }, + { + "description": "File name associated with the event\n", + "name": "filename", + "type": "keyword" + }, + { + "description": "FTP command used when virus was found\n", + "name": "ftpcommand", + "type": "keyword" + }, + { + "description": "URL from which virus was downloaded\n", + "name": "url", + "type": "keyword" + }, + { + "description": "Domain from which virus was downloaded\n", + "name": "domainname", + "type": "keyword" + }, + { + "description": "Path and filename of the file quarantined\n", + "name": "quarantine", + "type": "keyword" + }, + { + "description": "Sender domain name\n", + "name": "src_domainname", + "type": "keyword" + }, + { + "description": "Receiver domain name\n", + "name": "dst_domainname", + "type": "keyword" + }, + { + "description": "Reason why the record was detected as spam/malicious\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "Referer\n", + "name": "referer", + "type": "keyword" + }, + { + "description": "Spam Action\n", + "name": "spamaction", + "type": "keyword" + }, + { + "description": "mailid\n", + "name": "mailid", + "type": "keyword" + }, + { + "description": "Quarantine reason\n", + "name": "quarantine_reason", + "type": "keyword" + }, + { + "description": "Status code\n", + "name": "status_code", + "type": "keyword" + }, + { + "description": "Override token\n", + "name": "override_token", + "type": "keyword" + }, + { + "description": "Unique identifier of connection\n", + "name": "con_id", + "type": "integer" + }, + { + "description": "Override authorizer\n", + "name": "override_authorizer", + "type": "keyword" + }, + { + "description": "Transaction ID of the AV scan.\n", + "name": "transactionid", + "type": "keyword" + }, + { + "description": "Upload file type\n", + "name": "upload_file_type", + "type": "keyword" + }, + { + "description": "Upload file name\n", + "name": "upload_file_name", + "type": "keyword" + }, + { + "description": "code of HTTP response\n", + "name": "httpresponsecode", + "type": "long" + }, + { + "description": "Group name to which the user belongs.\n", + "name": "user_gp", + "type": "keyword" + }, + { + "description": "Type of category under which website falls\n", + "name": "category_type", + "type": "keyword" + }, + { + "description": "Download file type\n", + "name": "download_file_type", + "type": "keyword" + }, + { + "description": "List of the checks excluded by web exceptions.\n", + "name": "exceptions", + "type": "keyword" + }, + { + "description": "Type of the content\n", + "name": "contenttype", + "type": "keyword" + }, + { + "description": "Override name\n", + "name": "override_name", + "type": "keyword" + }, + { + "description": "Web policy activity that matched and caused the policy result.\n", + "name": "activityname", + "type": "keyword" + }, + { + "description": "Download file name\n", + "name": "download_file_name", + "type": "keyword" + }, + { + "description": "SHA1 checksum of the item being analyzed\n", + "name": "sha1sum", + "type": "keyword" + }, + { + "description": "Message ID\n", + "name": "message_id", + "type": "keyword" + }, + { + "description": "Connection ID\n", + "name": "connid", + "type": "keyword" + }, + { + "description": "Message\n", + "name": "message", + "type": "keyword" + }, + { + "description": "Email Subject\n", + "name": "email_subject", + "type": "keyword" + }, + { + "description": "File path\n", + "name": "file_path", + "type": "keyword" + }, + { + "description": "Destination Domain\n", + "name": "dstdomain", + "type": "keyword" + }, + { + "description": "File Size\n", + "name": "file_size", + "type": "integer" + }, + { + "description": "Transaction ID\n", + "name": "transaction_id", + "type": "keyword" + }, + { + "description": "Website\n", + "name": "website", + "type": "keyword" + }, + { + "description": "Filename\n", + "name": "file_name", + "type": "keyword" + }, + { + "description": "Content Prefix\n", + "name": "context_prefix", + "type": "keyword" + }, + { + "description": "Site Category\n", + "name": "site_category", + "type": "keyword" + }, + { + "description": "Context Suffix\n", + "name": "context_suffix", + "type": "keyword" + }, + { + "description": "Dictionary Name\n", + "name": "dictionary_name", + "type": "keyword" + }, + { + "description": "Event Action\n", + "name": "action", + "type": "keyword" + }, + { + "description": "User\n", + "name": "user", + "type": "keyword" + }, + { + "description": "Context Match\n", + "name": "context_match", + "type": "keyword" + }, + { + "description": "Direction\n", + "name": "direction", + "type": "keyword" + }, + { + "description": "Auth Client\n", + "name": "auth_client", + "type": "keyword" + }, + { + "description": "Auth mechanism\n", + "name": "auth_mechanism", + "type": "keyword" + }, + { + "description": "Connectionname\n", + "name": "connectionname", + "type": "keyword" + }, + { + "description": "remotenetwork\n", + "name": "remotenetwork", + "type": "keyword" + }, + { + "description": "Localgateway\n", + "name": "localgateway", + "type": "keyword" + }, + { + "description": "Localnetwork\n", + "name": "localnetwork", + "type": "keyword" + }, + { + "description": "Connectiontype\n", + "name": "connectiontype", + "type": "keyword" + }, + { + "description": "Oldversion\n", + "name": "oldversion", + "type": "keyword" + }, + { + "description": "Newversion\n", + "name": "newversion", + "type": "keyword" + }, + { + "description": "Ipaddress\n", + "name": "ipaddress", + "type": "keyword" + }, + { + "description": "Client physical address\n", + "name": "client_physical_address", + "type": "keyword" + }, + { + "description": "Client host name\n", + "name": "client_host_name", + "type": "keyword" + }, + { + "description": "Raw data\n", + "name": "raw_data", + "type": "keyword" + }, + { + "description": "Mode\n", + "name": "Mode", + "type": "keyword" + }, + { + "description": "Sessionid\n", + "name": "sessionid", + "type": "keyword" + }, + { + "description": "Starttime\n", + "name": "starttime", + "type": "date" + }, + { + "description": "Remote IP\n", + "name": "remote_ip", + "type": "ip" + }, + { + "description": "timestamp\n", + "name": "timestamp", + "type": "date" + }, + { + "description": "SysLog SERVER NAME\n", + "name": "SysLog_SERVER_NAME", + "type": "keyword" + }, + { + "description": "Backup mode\n", + "name": "backup_mode", + "type": "keyword" + }, + { + "description": "Source\n", + "name": "source", + "type": "keyword" + }, + { + "description": "Server\n", + "name": "server", + "type": "keyword" + }, + { + "description": "Host\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Responsetime\n", + "name": "responsetime", + "type": "long" + }, + { + "description": "cookie\n", + "name": "cookie", + "type": "keyword" + }, + { + "description": "querystring\n", + "name": "querystring", + "type": "keyword" + }, + { + "description": "extra\n", + "name": "extra", + "type": "keyword" + }, + { + "description": "PHPSESSID\n", + "name": "PHPSESSID", + "type": "keyword" + }, + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "Event time\n", + "name": "eventtime", + "type": "date" + }, + { + "description": "RED ID\n", + "name": "red_id", + "type": "keyword" + }, + { + "description": "Branch Name\n", + "name": "branch_name", + "type": "keyword" + }, + { + "description": "updatedip\n", + "name": "updatedip", + "type": "ip" + }, + { + "description": "idle ##\n", + "name": "idle_cpu", + "type": "float" + }, + { + "description": "system\n", + "name": "system_cpu", + "type": "float" + }, + { + "description": "system\n", + "name": "user_cpu", + "type": "float" + }, + { + "description": "used\n", + "name": "used", + "type": "integer" + }, + { + "description": "unit\n", + "name": "unit", + "type": "keyword" + }, + { + "description": "Total Memory\n", + "name": "total_memory", + "type": "integer" + }, + { + "description": "free\n", + "name": "free", + "type": "integer" + }, + { + "description": "transmitted errors\n", + "name": "transmittederrors", + "type": "keyword" + }, + { + "description": "received errors\n", + "name": "receivederrors", + "type": "keyword" + }, + { + "description": "received kbits\n", + "name": "receivedkbits", + "type": "long" + }, + { + "description": "transmitted kbits\n", + "name": "transmittedkbits", + "type": "long" + }, + { + "description": "transmitted drops\n", + "name": "transmitteddrops", + "type": "long" + }, + { + "description": "received drops\n", + "name": "receiveddrops", + "type": "long" + }, + { + "description": "collisions\n", + "name": "collisions", + "type": "long" + }, + { + "description": "interface\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Configuration\n", + "name": "Configuration", + "type": "float" + }, + { + "description": "Reports\n", + "name": "Reports", + "type": "float" + }, + { + "description": "Signature\n", + "name": "Signature", + "type": "float" + }, + { + "description": "Temp\n", + "name": "Temp", + "type": "float" + }, + { + "description": "users\n", + "name": "users", + "type": "keyword" + }, + { + "description": "ssid\n", + "name": "ssid", + "type": "keyword" + }, + { + "description": "ap\n", + "name": "ap", + "type": "keyword" + }, + { + "description": "clients connection ssid\n", + "name": "clients_conn_ssid", + "type": "keyword" + } + ], + "name": "xg", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "squid": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "squid" + } + ], + "fields.yml": [ + { + "description": "squid fields.\n", + "fields": null, + "key": "squid", + "title": "Squid" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "suricata": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "eve": { + "enabled": true + }, + "module": "suricata" + } + ], + "fields.yml": [ + { + "description": "Module for handling the EVE JSON logs produced by Suricata.\n", + "fields": [ + { + "description": "Fields from the Suricata EVE log file.\n", + "fields": null, + "name": "suricata", + "type": "group" + } + ], + "key": "suricata", + "title": "Suricata" + } + ] + } + }, + "eve": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the EVE JSON logs\n", + "fields": [ + { + "name": "event_type", + "type": "keyword" + }, + { + "name": "app_proto_orig", + "type": "keyword" + }, + { + "fields": [ + { + "name": "tcp_flags", + "type": "keyword" + }, + { + "name": "psh", + "type": "boolean" + }, + { + "name": "tcp_flags_tc", + "type": "keyword" + }, + { + "name": "ack", + "type": "boolean" + }, + { + "name": "syn", + "type": "boolean" + }, + { + "name": "state", + "type": "keyword" + }, + { + "name": "tcp_flags_ts", + "type": "keyword" + }, + { + "name": "rst", + "type": "boolean" + }, + { + "name": "fin", + "type": "boolean" + } + ], + "name": "tcp", + "type": "group" + }, + { + "fields": [ + { + "name": "sha1", + "type": "keyword" + }, + { + "name": "filename", + "path": "file.path", + "type": "alias" + }, + { + "name": "tx_id", + "type": "long" + }, + { + "name": "state", + "type": "keyword" + }, + { + "name": "stored", + "type": "boolean" + }, + { + "name": "gaps", + "type": "boolean" + }, + { + "name": "sha256", + "type": "keyword" + }, + { + "name": "md5", + "type": "keyword" + }, + { + "name": "size", + "path": "file.size", + "type": "alias" + } + ], + "name": "fileinfo", + "type": "group" + }, + { + "name": "icmp_type", + "type": "long" + }, + { + "name": "dest_port", + "path": "destination.port", + "type": "alias" + }, + { + "name": "src_port", + "path": "source.port", + "type": "alias" + }, + { + "name": "proto", + "path": "network.transport", + "type": "alias" + }, + { + "name": "pcap_cnt", + "type": "long" + }, + { + "name": "src_ip", + "path": "source.ip", + "type": "alias" + }, + { + "fields": [ + { + "name": "type", + "type": "keyword" + }, + { + "name": "rrtype", + "type": "keyword" + }, + { + "name": "rrname", + "type": "keyword" + }, + { + "name": "rdata", + "type": "keyword" + }, + { + "name": "tx_id", + "type": "long" + }, + { + "name": "ttl", + "type": "long" + }, + { + "name": "rcode", + "type": "keyword" + }, + { + "name": "id", + "type": "long" + } + ], + "name": "dns", + "type": "group" + }, + { + "name": "flow_id", + "type": "keyword" + }, + { + "fields": [ + { + "name": "status", + "type": "keyword" + } + ], + "name": "email", + "type": "group" + }, + { + "name": "dest_ip", + "path": "destination.ip", + "type": "alias" + }, + { + "name": "icmp_code", + "type": "long" + }, + { + "fields": [ + { + "name": "status", + "path": "http.response.status_code", + "type": "alias" + }, + { + "name": "redirect", + "type": "keyword" + }, + { + "name": "http_user_agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "name": "protocol", + "type": "keyword" + }, + { + "name": "http_refer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "name": "hostname", + "path": "url.domain", + "type": "alias" + }, + { + "name": "length", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "name": "http_method", + "path": "http.request.method", + "type": "alias" + }, + { + "name": "http_content_type", + "type": "keyword" + } + ], + "name": "http", + "type": "group" + }, + { + "name": "timestamp", + "path": "@timestamp", + "type": "alias" + }, + { + "name": "in_iface", + "type": "keyword" + }, + { + "fields": [ + { + "name": "category", + "type": "keyword" + }, + { + "name": "severity", + "path": "event.severity", + "type": "alias" + }, + { + "name": "rev", + "type": "long" + }, + { + "name": "gid", + "type": "long" + }, + { + "name": "signature", + "type": "keyword" + }, + { + "name": "action", + "path": "event.outcome", + "type": "alias" + }, + { + "name": "signature_id", + "type": "long" + } + ], + "name": "alert", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "name": "proto_version", + "type": "keyword" + }, + { + "name": "software_version", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + }, + { + "fields": [ + { + "name": "proto_version", + "type": "keyword" + }, + { + "name": "software_version", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "ssh", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "name": "kernel_packets", + "type": "long" + }, + { + "name": "kernel_drops", + "type": "long" + }, + { + "name": "kernel_ifdrops", + "type": "long" + } + ], + "name": "capture", + "type": "group" + }, + { + "name": "uptime", + "type": "long" + }, + { + "fields": [ + { + "name": "alert", + "type": "long" + } + ], + "name": "detect", + "type": "group" + }, + { + "fields": [ + { + "name": "memcap", + "type": "long" + }, + { + "name": "memuse", + "type": "long" + } + ], + "name": "http", + "type": "group" + }, + { + "fields": [ + { + "name": "open_files", + "type": "long" + } + ], + "name": "file_store", + "type": "group" + }, + { + "fields": [ + { + "name": "max_frag_hits", + "type": "long" + }, + { + "fields": [ + { + "name": "timeouts", + "type": "long" + }, + { + "name": "fragments", + "type": "long" + }, + { + "name": "reassembled", + "type": "long" + } + ], + "name": "ipv4", + "type": "group" + }, + { + "fields": [ + { + "name": "timeouts", + "type": "long" + }, + { + "name": "fragments", + "type": "long" + }, + { + "name": "reassembled", + "type": "long" + } + ], + "name": "ipv6", + "type": "group" + } + ], + "name": "defrag", + "type": "group" + }, + { + "fields": [ + { + "name": "tcp_reuse", + "type": "long" + }, + { + "name": "udp", + "type": "long" + }, + { + "name": "memcap", + "type": "long" + }, + { + "name": "emerg_mode_entered", + "type": "long" + }, + { + "name": "emerg_mode_over", + "type": "long" + }, + { + "name": "tcp", + "type": "long" + }, + { + "name": "icmpv6", + "type": "long" + }, + { + "name": "icmpv4", + "type": "long" + }, + { + "name": "spare", + "type": "long" + }, + { + "name": "memuse", + "type": "long" + } + ], + "name": "flow", + "type": "group" + }, + { + "fields": [ + { + "name": "pseudo_failed", + "type": "long" + }, + { + "name": "ssn_memcap_drop", + "type": "long" + }, + { + "name": "insert_data_overlap_fail", + "type": "long" + }, + { + "name": "sessions", + "type": "long" + }, + { + "name": "pseudo", + "type": "long" + }, + { + "name": "synack", + "type": "long" + }, + { + "name": "insert_data_normal_fail", + "type": "long" + }, + { + "name": "syn", + "type": "long" + }, + { + "name": "memuse", + "type": "long" + }, + { + "name": "invalid_checksum", + "type": "long" + }, + { + "name": "segment_memcap_drop", + "type": "long" + }, + { + "name": "overlap", + "type": "long" + }, + { + "name": "insert_list_fail", + "type": "long" + }, + { + "name": "rst", + "type": "long" + }, + { + "name": "stream_depth_reached", + "type": "long" + }, + { + "name": "reassembly_memuse", + "type": "long" + }, + { + "name": "reassembly_gap", + "type": "long" + }, + { + "name": "overlap_diff_data", + "type": "long" + }, + { + "name": "no_flow", + "type": "long" + } + ], + "name": "tcp", + "type": "group" + }, + { + "fields": [ + { + "name": "avg_pkt_size", + "type": "long" + }, + { + "name": "bytes", + "type": "long" + }, + { + "name": "tcp", + "type": "long" + }, + { + "name": "raw", + "type": "long" + }, + { + "name": "ppp", + "type": "long" + }, + { + "name": "vlan_qinq", + "type": "long" + }, + { + "name": "null", + "type": "long" + }, + { + "fields": [ + { + "name": "unsupported_type", + "type": "long" + }, + { + "name": "pkt_too_small", + "type": "long" + } + ], + "name": "ltnull", + "type": "group" + }, + { + "name": "invalid", + "type": "long" + }, + { + "name": "gre", + "type": "long" + }, + { + "name": "ipv4", + "type": "long" + }, + { + "name": "ipv6", + "type": "long" + }, + { + "name": "pkts", + "type": "long" + }, + { + "name": "ipv6_in_ipv6", + "type": "long" + }, + { + "fields": [ + { + "name": "invalid_ip_version", + "type": "long" + } + ], + "name": "ipraw", + "type": "group" + }, + { + "name": "pppoe", + "type": "long" + }, + { + "name": "udp", + "type": "long" + }, + { + "fields": [ + { + "name": "pkt_too_small", + "type": "long" + } + ], + "name": "dce", + "type": "group" + }, + { + "name": "vlan", + "type": "long" + }, + { + "name": "sctp", + "type": "long" + }, + { + "name": "max_pkt_size", + "type": "long" + }, + { + "name": "teredo", + "type": "long" + }, + { + "name": "mpls", + "type": "long" + }, + { + "name": "sll", + "type": "long" + }, + { + "name": "icmpv6", + "type": "long" + }, + { + "name": "icmpv4", + "type": "long" + }, + { + "name": "erspan", + "type": "long" + }, + { + "name": "ethernet", + "type": "long" + }, + { + "name": "ipv4_in_ipv6", + "type": "long" + }, + { + "name": "ieee8021ah", + "type": "long" + } + ], + "name": "decoder", + "type": "group" + }, + { + "fields": [ + { + "name": "memcap_global", + "type": "long" + }, + { + "name": "memcap_state", + "type": "long" + }, + { + "name": "memuse", + "type": "long" + } + ], + "name": "dns", + "type": "group" + }, + { + "fields": [ + { + "name": "rows_busy", + "type": "long" + }, + { + "name": "flows_timeout", + "type": "long" + }, + { + "name": "flows_notimeout", + "type": "long" + }, + { + "name": "rows_skipped", + "type": "long" + }, + { + "name": "closed_pruned", + "type": "long" + }, + { + "name": "new_pruned", + "type": "long" + }, + { + "name": "flows_removed", + "type": "long" + }, + { + "name": "bypassed_pruned", + "type": "long" + }, + { + "name": "est_pruned", + "type": "long" + }, + { + "name": "flows_timeout_inuse", + "type": "long" + }, + { + "name": "flows_checked", + "type": "long" + }, + { + "name": "rows_maxlen", + "type": "long" + }, + { + "name": "rows_checked", + "type": "long" + }, + { + "name": "rows_empty", + "type": "long" + } + ], + "name": "flow_mgr", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "name": "tls", + "type": "long" + }, + { + "name": "ftp", + "type": "long" + }, + { + "name": "http", + "type": "long" + }, + { + "name": "failed_udp", + "type": "long" + }, + { + "name": "dns_udp", + "type": "long" + }, + { + "name": "dns_tcp", + "type": "long" + }, + { + "name": "smtp", + "type": "long" + }, + { + "name": "failed_tcp", + "type": "long" + }, + { + "name": "msn", + "type": "long" + }, + { + "name": "ssh", + "type": "long" + }, + { + "name": "imap", + "type": "long" + }, + { + "name": "dcerpc_udp", + "type": "long" + }, + { + "name": "dcerpc_tcp", + "type": "long" + }, + { + "name": "smb", + "type": "long" + } + ], + "name": "flow", + "type": "group" + }, + { + "fields": [ + { + "name": "tls", + "type": "long" + }, + { + "name": "ftp", + "type": "long" + }, + { + "name": "http", + "type": "long" + }, + { + "name": "dns_udp", + "type": "long" + }, + { + "name": "dns_tcp", + "type": "long" + }, + { + "name": "smtp", + "type": "long" + }, + { + "name": "ssh", + "type": "long" + }, + { + "name": "dcerpc_udp", + "type": "long" + }, + { + "name": "dcerpc_tcp", + "type": "long" + }, + { + "name": "smb", + "type": "long" + } + ], + "name": "tx", + "type": "group" + } + ], + "name": "app_layer", + "type": "group" + } + ], + "name": "stats", + "type": "group" + }, + { + "fields": [ + { + "name": "notbefore", + "type": "date" + }, + { + "name": "issuerdn", + "type": "keyword" + }, + { + "name": "sni", + "type": "keyword" + }, + { + "name": "version", + "type": "keyword" + }, + { + "name": "session_resumed", + "type": "boolean" + }, + { + "name": "fingerprint", + "type": "keyword" + }, + { + "name": "serial", + "type": "keyword" + }, + { + "name": "notafter", + "type": "date" + }, + { + "name": "subject", + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "name": "string", + "type": "keyword" + }, + { + "name": "hash", + "type": "keyword" + } + ], + "name": "ja3s", + "type": "group" + }, + { + "default_field": false, + "fields": [ + { + "name": "string", + "type": "keyword" + }, + { + "name": "hash", + "type": "keyword" + } + ], + "name": "ja3", + "type": "group" + } + ], + "name": "tls", + "type": "group" + }, + { + "name": "app_proto_ts", + "type": "keyword" + }, + { + "fields": [ + { + "name": "bytes_toclient", + "path": "destination.bytes", + "type": "alias" + }, + { + "name": "start", + "path": "event.start", + "type": "alias" + }, + { + "name": "pkts_toclient", + "path": "destination.packets", + "type": "alias" + }, + { + "name": "age", + "type": "long" + }, + { + "name": "state", + "type": "keyword" + }, + { + "name": "bytes_toserver", + "path": "source.bytes", + "type": "alias" + }, + { + "name": "reason", + "type": "keyword" + }, + { + "name": "pkts_toserver", + "path": "source.packets", + "type": "alias" + }, + { + "name": "end", + "type": "date" + }, + { + "name": "alerted", + "type": "boolean" + } + ], + "name": "flow", + "type": "group" + }, + { + "name": "app_proto", + "path": "network.protocol", + "type": "alias" + }, + { + "name": "tx_id", + "type": "long" + }, + { + "name": "app_proto_tc", + "type": "keyword" + }, + { + "fields": [ + { + "name": "rcpt_to", + "type": "keyword" + }, + { + "name": "mail_from", + "type": "keyword" + }, + { + "name": "helo", + "type": "keyword" + } + ], + "name": "smtp", + "type": "group" + }, + { + "name": "app_proto_expected", + "type": "keyword" + }, + { + "fields": null, + "name": "flags", + "type": "group" + } + ], + "name": "eve", + "type": "group" + } + ] + } + } + } + } + } + }, + "system": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "auth": { + "enabled": true + }, + "module": "system", + "syslog": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for parsing system log files.\n", + "fields": [ + { + "description": "Fields from the system log files.\n", + "fields": null, + "name": "system", + "type": "group" + } + ], + "key": "system", + "short_config": true, + "title": "System" + } + ] + } + }, + "auth": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields from the Linux authorization logs.\n", + "fields": [ + { + "migration": true, + "name": "timestamp", + "path": "@timestamp", + "type": "alias" + }, + { + "migration": true, + "name": "hostname", + "path": "host.hostname", + "type": "alias" + }, + { + "migration": true, + "name": "program", + "path": "process.name", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + }, + { + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "fields": [ + { + "description": "The SSH authentication method. Can be one of \"password\" or \"publickey\".\n", + "name": "method" + }, + { + "description": "The signature of the client public key.\n", + "name": "signature" + }, + { + "description": "The client IP from SSH connections that are open and immediately dropped.\n", + "name": "dropped_ip", + "type": "ip" + }, + { + "description": "The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)\n", + "example": "Accepted", + "name": "event" + }, + { + "migration": true, + "name": "ip", + "path": "source.ip", + "type": "alias" + }, + { + "migration": true, + "name": "port", + "path": "source.port", + "type": "alias" + }, + { + "fields": [ + { + "migration": true, + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "migration": true, + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "migration": true, + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "migration": true, + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "migration": true, + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "migration": true, + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "ssh", + "type": "group" + }, + { + "description": "Fields specific to events created by the `sudo` command.\n", + "fields": [ + { + "description": "The error message in case the sudo command failed.\n", + "example": "user NOT in sudoers", + "name": "error" + }, + { + "description": "The TTY where the sudo command is executed.\n", + "name": "tty" + }, + { + "description": "The current directory where the sudo command is executed.\n", + "name": "pwd" + }, + { + "description": "The target user to which the sudo command is switching.\n", + "example": "root", + "name": "user" + }, + { + "description": "The command executed via sudo.\n", + "name": "command" + } + ], + "name": "sudo", + "type": "group" + }, + { + "description": "Fields specific to events created by the `useradd` command.\n", + "fields": [ + { + "description": "The home folder for the new user.", + "name": "home" + }, + { + "description": "The default shell for the new user.", + "name": "shell" + }, + { + "migration": true, + "name": "name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "uid", + "path": "user.id", + "type": "alias" + }, + { + "migration": true, + "name": "gid", + "path": "group.id", + "type": "alias" + } + ], + "name": "useradd", + "type": "group" + }, + { + "description": "Fields specific to events created by the `groupadd` command.\n", + "fields": [ + { + "migration": true, + "name": "name", + "path": "group.name", + "type": "alias" + }, + { + "migration": true, + "name": "gid", + "path": "group.id", + "type": "alias" + } + ], + "name": "groupadd", + "type": "group" + } + ], + "name": "auth", + "type": "group" + } + ] + } + } + } + }, + "syslog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields from the syslog system logs.\n", + "fields": [ + { + "migration": true, + "name": "timestamp", + "path": "@timestamp", + "type": "alias" + }, + { + "migration": true, + "name": "hostname", + "path": "host.hostname", + "type": "alias" + }, + { + "migration": true, + "name": "program", + "path": "process.name", + "type": "alias" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "message", + "path": "message", + "type": "alias" + } + ], + "name": "syslog", + "type": "group" + } + ] + } + } + } + } + } + }, + "tomcat": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "log": { + "enabled": true + }, + "module": "tomcat" + } + ], + "fields.yml": [ + { + "description": "tomcat fields.\n", + "fields": null, + "key": "tomcat", + "title": "Apache Tomcat" + } + ] + } + }, + "log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + }, + "traefik": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "access": { + "enabled": true + }, + "module": "traefik" + } + ], + "fields.yml": [ + { + "description": "Module for parsing the Traefik log files.\n", + "fields": [ + { + "description": "Fields from the Traefik log files.\n", + "fields": null, + "name": "traefik", + "type": "group" + } + ], + "key": "traefik", + "title": "Traefik" + } + ] + } + }, + "access": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains fields for the Traefik access logs.\n", + "fields": [ + { + "description": "Is the RFC 1413 identity of the client\n", + "name": "user_identifier", + "type": "keyword" + }, + { + "description": "The number of requests\n", + "name": "request_count", + "type": "long" + }, + { + "description": "The name of the frontend used\n", + "name": "frontend_name", + "type": "keyword" + }, + { + "description": "The url of the backend where request is forwarded", + "name": "backend_url", + "type": "keyword" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "remote_ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "fields": [ + { + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "access", + "type": "group" + } + ] + } + } + } + } + } + }, + "zeek": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "capture_loss": { + "enabled": true + }, + "connection": { + "enabled": true + }, + "dce_rpc": { + "enabled": true + }, + "dhcp": { + "enabled": true + }, + "dnp3": { + "enabled": true + }, + "dns": { + "enabled": true + }, + "dpd": { + "enabled": true + }, + "files": { + "enabled": true + }, + "ftp": { + "enabled": true + }, + "http": { + "enabled": true + }, + "intel": { + "enabled": true + }, + "irc": { + "enabled": true + }, + "kerberos": { + "enabled": true + }, + "modbus": { + "enabled": true + }, + "module": "zeek", + "mysql": { + "enabled": true + }, + "notice": { + "enabled": true + }, + "ntlm": { + "enabled": true + }, + "ocsp": { + "enabled": true + }, + "pe": { + "enabled": true + }, + "radius": { + "enabled": true + }, + "rdp": { + "enabled": true + }, + "rfb": { + "enabled": true + }, + "sip": { + "enabled": true + }, + "smb_cmd": { + "enabled": true + }, + "smb_files": { + "enabled": true + }, + "smb_mapping": { + "enabled": true + }, + "smtp": { + "enabled": true + }, + "snmp": { + "enabled": true + }, + "socks": { + "enabled": true + }, + "ssh": { + "enabled": true + }, + "ssl": { + "enabled": true + }, + "stats": { + "enabled": true + }, + "syslog": { + "enabled": true + }, + "traceroute": { + "enabled": true + }, + "tunnel": { + "enabled": true + }, + "weird": { + "enabled": true + }, + "x509": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "Module for handling logs produced by Zeek/Bro\n", + "fields": [ + { + "description": "Fields from Zeek/Bro logs after normalization\n", + "fields": [ + { + "description": "A unique identifier of the session\n", + "name": "session_id", + "type": "keyword" + } + ], + "name": "zeek", + "type": "group" + } + ], + "key": "zeek", + "title": "Zeek" + } + ] + } + }, + "capture_loss": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the Zeek capture_loss log\n", + "fields": [ + { + "description": "The time delay between this measurement and the last.\n", + "name": "ts_delta", + "type": "integer" + }, + { + "description": "In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.\n", + "name": "peer", + "type": "keyword" + }, + { + "description": "Number of missed ACKs from the previous measurement interval.\n", + "name": "gaps", + "type": "integer" + }, + { + "description": "Total number of ACKs seen in the previous measurement interval.\n", + "name": "acks", + "type": "integer" + }, + { + "description": "Percentage of ACKs seen where the data being ACKed wasn't seen.\n", + "name": "percent_lost", + "type": "double" + } + ], + "name": "capture_loss", + "type": "group" + } + ] + } + } + } + }, + "connection": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek Connection log\n", + "fields": [ + { + "description": "Indicates whether the session is originated locally.\n", + "name": "local_orig", + "type": "boolean" + }, + { + "description": "Indicates whether the session is responded locally.\n", + "name": "local_resp", + "type": "boolean" + }, + { + "description": "Missed bytes for the session.\n", + "name": "missed_bytes", + "type": "long" + }, + { + "description": "Code indicating the state of the session.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "The state of the session.\n", + "name": "state_message", + "type": "keyword" + }, + { + "fields": [ + { + "description": "ICMP message type.\n", + "name": "type", + "type": "integer" + }, + { + "description": "ICMP message code.\n", + "name": "code", + "type": "integer" + } + ], + "name": "icmp", + "type": "group" + }, + { + "description": "Flags indicating the history of the session.\n", + "name": "history", + "type": "keyword" + }, + { + "description": "VLAN identifier.\n", + "name": "vlan", + "type": "integer" + }, + { + "description": "VLAN identifier.\n", + "name": "inner_vlan", + "type": "integer" + } + ], + "name": "connection", + "type": "group" + } + ] + } + } + } + }, + "dce_rpc": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek DCE_RPC log\n", + "fields": [ + { + "description": "Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.\n", + "name": "rtt", + "type": "integer" + }, + { + "description": "Remote pipe name.\n", + "name": "named_pipe", + "type": "keyword" + }, + { + "description": "Endpoint name looked up from the uuid.\n", + "name": "endpoint", + "type": "keyword" + }, + { + "description": "Operation seen in the call.\n", + "name": "operation", + "type": "keyword" + } + ], + "name": "dce_rpc", + "type": "group" + } + ] + } + } + } + }, + "dhcp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek DHCP log\n", + "fields": [ + { + "description": "Domain given by the server in option 15.\n", + "name": "domain", + "type": "keyword" + }, + { + "description": "Duration of the DHCP session representing the time from the first\nmessage to the last, in seconds.\n", + "name": "duration", + "type": "double" + }, + { + "description": "Name given by client in Hostname option 12.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "FQDN given by client in Client FQDN option 81.\n", + "name": "client_fqdn", + "type": "keyword" + }, + { + "description": "IP address lease interval in seconds.\n", + "name": "lease_time", + "type": "integer" + }, + { + "description": "Addresses seen in this DHCP exchange.\n", + "fields": [ + { + "description": "IP address assigned by the server.\n", + "name": "assigned", + "type": "ip" + }, + { + "description": "IP address of the client. If a transaction is only a client sending\nINFORM messages then there is no lease information exchanged so this\nis helpful to know who sent the messages. Getting an address in this\nfield does require that the client sources at least one DHCP message\nusing a non-broadcast address.\n", + "name": "client", + "type": "ip" + }, + { + "description": "Client's hardware address.\n", + "name": "mac", + "type": "keyword" + }, + { + "description": "IP address requested by the client.\n", + "name": "requested", + "type": "ip" + }, + { + "description": "IP address of the DHCP server.\n", + "name": "server", + "type": "ip" + } + ], + "name": "address", + "type": "group" + }, + { + "fields": [ + { + "description": "List of DHCP message types seen in this exchange.\n", + "name": "types", + "type": "keyword" + }, + { + "description": "(present if policy/protocols/dhcp/msg-orig.bro is loaded)\nThe address that originated each message from the msg.types field.\n", + "name": "origin", + "type": "ip" + }, + { + "description": "Message typically accompanied with a DHCP_DECLINE so the client can\ntell the server why it rejected an address.\n", + "name": "client", + "type": "keyword" + }, + { + "description": "Message typically accompanied with a DHCP_NAK to let the client know\nwhy it rejected the request.\n", + "name": "server", + "type": "keyword" + } + ], + "name": "msg", + "type": "group" + }, + { + "fields": [ + { + "description": "(present if policy/protocols/dhcp/software.bro is loaded)\nSoftware reported by the client in the vendor_class option.\n", + "name": "client", + "type": "keyword" + }, + { + "description": "(present if policy/protocols/dhcp/software.bro is loaded)\nSoftware reported by the client in the vendor_class option.\n", + "name": "server", + "type": "keyword" + } + ], + "name": "software", + "type": "group" + }, + { + "fields": [ + { + "description": "(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nAdded by DHCP relay agents which terminate switched or permanent\ncircuits. It encodes an agent-local identifier of the circuit from\nwhich a DHCP client-to-server packet was received. Typically it\nshould represent a router or switch interface number.\n", + "name": "circuit", + "type": "keyword" + }, + { + "description": "(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nA globally unique identifier added by relay agents to identify the\nremote host end of the circuit.\n", + "name": "remote_agent", + "type": "keyword" + }, + { + "description": "(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nThe subscriber ID is a value independent of the physical network\nconfiguration so that a customer's DHCP configuration can be given\nto them correctly no matter where they are physically connected.\n", + "name": "subscriber", + "type": "keyword" + } + ], + "name": "id", + "type": "group" + } + ], + "name": "dhcp", + "type": "group" + } + ] + } + } + } + }, + "dnp3": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SSH log\n", + "fields": [ + { + "fields": [ + { + "description": "The name of the function message in the request.\n", + "name": "request", + "type": "keyword" + }, + { + "description": "The name of the function message in the reply.\n", + "name": "reply", + "type": "keyword" + } + ], + "name": "function", + "type": "group" + }, + { + "description": "The response's internal indication number.\n", + "name": "id", + "type": "integer" + } + ], + "name": "dnp3", + "type": "group" + } + ] + } + } + } + }, + "dns": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the Zeek DNS log\n", + "fields": [ + { + "description": "DNS transaction identifier.\n", + "name": "trans_id", + "type": "keyword" + }, + { + "description": "Round trip time for the query and response.\n", + "name": "rtt", + "type": "double" + }, + { + "description": "The domain name that is the subject of the DNS query.\n", + "name": "query", + "type": "keyword" + }, + { + "description": "The QCLASS value specifying the class of the query.\n", + "name": "qclass", + "type": "long" + }, + { + "description": "A descriptive name for the class of the query.\n", + "name": "qclass_name", + "type": "keyword" + }, + { + "description": "A QTYPE value specifying the type of the query.\n", + "name": "qtype", + "type": "long" + }, + { + "description": "A descriptive name for the type of the query.\n", + "name": "qtype_name", + "type": "keyword" + }, + { + "description": "The response code value in DNS response messages.\n", + "name": "rcode", + "type": "long" + }, + { + "description": "A descriptive name for the response code value.\n", + "name": "rcode_name", + "type": "keyword" + }, + { + "description": "The Authoritative Answer bit for response messages specifies that the responding\nname server is an authority for the domain name in the question section.\n", + "name": "AA", + "type": "boolean" + }, + { + "description": "The Truncation bit specifies that the message was truncated.\n", + "name": "TC", + "type": "boolean" + }, + { + "description": "The Recursion Desired bit in a request message indicates that the client\nwants recursive service for this query.\n", + "name": "RD", + "type": "boolean" + }, + { + "description": "The Recursion Available bit in a response message indicates that the name\nserver supports recursive queries.\n", + "name": "RA", + "type": "boolean" + }, + { + "description": "The set of resource descriptions in the query answer.\n", + "name": "answers", + "type": "keyword" + }, + { + "description": "The caching intervals of the associated RRs described by the answers field.\n", + "name": "TTLs", + "type": "double" + }, + { + "description": "Indicates whether the DNS query was rejected by the server.\n", + "name": "rejected", + "type": "boolean" + }, + { + "description": "The total number of resource records in the reply.\n", + "name": "total_answers", + "type": "integer" + }, + { + "description": "The total number of resource records in the reply message.\n", + "name": "total_replies", + "type": "integer" + }, + { + "description": "Whether the full DNS query has been seen.\n", + "name": "saw_query", + "type": "boolean" + }, + { + "description": "Whether the full DNS reply has been seen.\n", + "name": "saw_reply", + "type": "boolean" + } + ], + "name": "dns", + "type": "group" + } + ] + } + } + } + }, + "dpd": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek DPD log\n", + "fields": [ + { + "description": "The analyzer that generated the violation.\n", + "name": "analyzer", + "type": "keyword" + }, + { + "description": "The textual reason for the analysis failure.\n", + "name": "failure_reason", + "type": "keyword" + }, + { + "description": "(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)\nA chunk of the payload that most likely resulted in the protocol violation.\n", + "name": "packet_segment", + "type": "keyword" + } + ], + "name": "dpd", + "type": "group" + } + ] + } + } + } + }, + "files": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the Zeek Files log.\n", + "fields": [ + { + "description": "A file unique identifier.\n", + "name": "fuid", + "type": "keyword" + }, + { + "description": "The host that transferred the file.\n", + "name": "tx_host", + "type": "ip" + }, + { + "description": "The host that received the file.\n", + "name": "rx_host", + "type": "ip" + }, + { + "description": "The sessions that have this file.\n", + "name": "session_ids", + "type": "keyword" + }, + { + "description": "An identification of the source of the file data. E.g. it may be a network protocol\nover which it was transferred, or a local file path which was read, or some other\ninput source.\n", + "name": "source", + "type": "keyword" + }, + { + "description": "A value to represent the depth of this file in relation to its source. In SMTP, it\nis the depth of the MIME attachment on the message. In HTTP, it is the depth of the\nrequest within the TCP connection.\n", + "name": "depth", + "type": "long" + }, + { + "description": "A set of analysis types done during the file analysis.\n", + "name": "analyzers", + "type": "keyword" + }, + { + "description": "Mime type of the file.\n", + "name": "mime_type", + "type": "keyword" + }, + { + "description": "Name of the file if available.\n", + "name": "filename", + "type": "keyword" + }, + { + "description": "If the source of this file is a network connection, this field indicates if the data\noriginated from the local network or not.\n", + "name": "local_orig", + "type": "boolean" + }, + { + "description": "If the source of this file is a network connection, this field indicates if the file is\nbeing sent by the originator of the connection or the responder.\n", + "name": "is_orig", + "type": "boolean" + }, + { + "description": "The duration the file was analyzed for. Not the duration of the session.\n", + "name": "duration", + "type": "double" + }, + { + "description": "Number of bytes provided to the file analysis engine for the file.\n", + "name": "seen_bytes", + "type": "long" + }, + { + "description": "Total number of bytes that are supposed to comprise the full file.\n", + "name": "total_bytes", + "type": "long" + }, + { + "description": "The number of bytes in the file stream that were completely missed during the process\nof analysis.\n", + "name": "missing_bytes", + "type": "long" + }, + { + "description": "The number of bytes in the file stream that were not delivered to stream file analyzers.\nThis could be overlapping bytes or bytes that couldn't be reassembled.\n", + "name": "overflow_bytes", + "type": "long" + }, + { + "description": "Whether the file analysis timed out at least once for the file.\n", + "name": "timedout", + "type": "boolean" + }, + { + "description": "Identifier associated with a container file from which this one was extracted as part of\nthe file analysis.\n", + "name": "parent_fuid", + "type": "keyword" + }, + { + "description": "An MD5 digest of the file contents.\n", + "name": "md5", + "type": "keyword" + }, + { + "description": "A SHA1 digest of the file contents.\n", + "name": "sha1", + "type": "keyword" + }, + { + "description": "A SHA256 digest of the file contents.\n", + "name": "sha256", + "type": "keyword" + }, + { + "description": "Local filename of extracted file.\n", + "name": "extracted", + "type": "keyword" + }, + { + "description": "Indicate whether the file being extracted was cut off hence not extracted completely.\n", + "name": "extracted_cutoff", + "type": "boolean" + }, + { + "description": "The number of bytes extracted to disk.\n", + "name": "extracted_size", + "type": "long" + }, + { + "description": "The information density of the contents of the file.\n", + "name": "entropy", + "type": "double" + } + ], + "name": "files", + "type": "group" + } + ] + } + } + } + }, + "ftp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek FTP log\n", + "fields": [ + { + "description": "User name for the current FTP session.\n", + "name": "user", + "type": "keyword" + }, + { + "description": "Password for the current FTP session if captured.\n", + "name": "password", + "type": "keyword" + }, + { + "description": "Command given by the client.\n", + "name": "command", + "type": "keyword" + }, + { + "description": "Argument for the command if one is given.\n", + "name": "arg", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Size of the file if the command indicates a file transfer.\n", + "name": "size", + "type": "long" + }, + { + "description": "Sniffed mime type of file.\n", + "name": "mime_type", + "type": "keyword" + }, + { + "description": "(present if base/protocols/ftp/files.bro is loaded)\nFile unique ID.\n", + "name": "fuid", + "type": "keyword" + } + ], + "name": "file", + "type": "group" + }, + { + "fields": [ + { + "description": "Reply code from the server in response to the command.\n", + "name": "code", + "type": "integer" + }, + { + "description": "Reply message from the server in response to the command.\n", + "name": "msg", + "type": "keyword" + } + ], + "name": "reply", + "type": "group" + }, + { + "description": "Expected FTP data channel.\n", + "fields": [ + { + "description": "Whether PASV mode is toggled for control channel.\n", + "name": "passive", + "type": "boolean" + }, + { + "description": "The host that will be initiating the data connection.\n", + "name": "originating_host", + "type": "ip" + }, + { + "description": "The host that will be accepting the data connection.\n", + "name": "response_host", + "type": "ip" + }, + { + "description": "The port at which the acceptor is listening for the data connection.\n", + "name": "response_port", + "type": "integer" + } + ], + "name": "data_channel", + "type": "group" + }, + { + "description": "Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.\n", + "name": "cwd", + "type": "keyword" + }, + { + "description": "Command that is currently waiting for a response.\n", + "fields": [ + { + "description": "Command.\n", + "name": "cmd", + "type": "keyword" + }, + { + "description": "Argument for the command if one was given.\n", + "name": "arg", + "type": "keyword" + }, + { + "description": "Counter to track how many commands have been executed.\n", + "name": "seq", + "type": "integer" + } + ], + "name": "cmdarg", + "type": "group" + }, + { + "description": "Queue for commands that have been sent but not yet responded to are tracked here.\n", + "name": "pending_commands", + "type": "integer" + }, + { + "description": "Indicates if the session is in active or passive mode.\n", + "name": "passive", + "type": "boolean" + }, + { + "description": "Determines if the password will be captured for this request.\n", + "name": "capture_password", + "type": "boolean" + }, + { + "description": "present if base/protocols/ftp/gridftp.bro is loaded.\nLast authentication/security mechanism that was used.\n", + "name": "last_auth_requested", + "type": "keyword" + } + ], + "name": "ftp", + "type": "group" + } + ] + } + } + } + }, + "http": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the Zeek HTTP log\n", + "fields": [ + { + "description": "Represents the pipelined depth into the connection of this request/response transaction.\n", + "name": "trans_depth", + "type": "integer" + }, + { + "description": "Status message returned by the server.\n", + "name": "status_msg", + "type": "keyword" + }, + { + "description": "Last seen 1xx informational reply code returned by the server.\n", + "name": "info_code", + "type": "integer" + }, + { + "description": "Last seen 1xx informational reply message returned by the server.\n", + "name": "info_msg", + "type": "keyword" + }, + { + "description": "A set of indicators of various attributes discovered and related to a particular\nrequest/response pair.\n", + "name": "tags", + "type": "keyword" + }, + { + "description": "Password if basic-auth is performed for the request.\n", + "name": "password", + "type": "keyword" + }, + { + "description": "Determines if the password will be captured for this request.\n", + "name": "captured_password", + "type": "boolean" + }, + { + "description": "All of the headers that may indicate if the HTTP request was proxied.\n", + "name": "proxied", + "type": "keyword" + }, + { + "description": "Indicates if this request can assume 206 partial content in response.\n", + "name": "range_request", + "type": "boolean" + }, + { + "description": "The vector of HTTP header names sent by the client. No header values\nare included here, just the header names.\n", + "name": "client_header_names", + "type": "keyword" + }, + { + "description": "The vector of HTTP header names sent by the server. No header values\nare included here, just the header names.\n", + "name": "server_header_names", + "type": "keyword" + }, + { + "description": "An ordered vector of file unique IDs from the originator.\n", + "name": "orig_fuids", + "type": "keyword" + }, + { + "description": "An ordered vector of mime types from the originator.\n", + "name": "orig_mime_types", + "type": "keyword" + }, + { + "description": "An ordered vector of filenames from the originator.\n", + "name": "orig_filenames", + "type": "keyword" + }, + { + "description": "An ordered vector of file unique IDs from the responder.\n", + "name": "resp_fuids", + "type": "keyword" + }, + { + "description": "An ordered vector of mime types from the responder.\n", + "name": "resp_mime_types", + "type": "keyword" + }, + { + "description": "An ordered vector of filenames from the responder.\n", + "name": "resp_filenames", + "type": "keyword" + }, + { + "description": "Current number of MIME entities in the HTTP request message body.\n", + "name": "orig_mime_depth", + "type": "integer" + }, + { + "description": "Current number of MIME entities in the HTTP response message body.\n", + "name": "resp_mime_depth", + "type": "integer" + } + ], + "name": "http", + "type": "group" + } + ] + } + } + } + }, + "intel": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek Intel log.\n", + "fields": [ + { + "fields": [ + { + "description": "The intelligence indicator.\n", + "name": "indicator", + "type": "keyword" + }, + { + "description": "The type of data the indicator represents.\n", + "name": "indicator_type", + "type": "keyword" + }, + { + "description": "If the indicator type was Intel::ADDR, then this field will be present.\n", + "name": "host", + "type": "keyword" + }, + { + "description": "If the data was discovered within a connection, the connection record should go here to give context to the data.\n", + "name": "conn", + "type": "keyword" + }, + { + "description": "Where the data was discovered.\n", + "name": "where", + "type": "keyword" + }, + { + "description": "The name of the node where the match was discovered.\n", + "name": "node", + "type": "keyword" + }, + { + "description": "If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.\n", + "name": "uid", + "type": "keyword" + }, + { + "description": "If the data was discovered within a file, the file record should go here to provide context to the data.\n", + "name": "f", + "type": "object" + }, + { + "description": "If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.\n", + "name": "fuid", + "type": "keyword" + } + ], + "name": "seen", + "type": "group" + }, + { + "description": "Event to represent a match in the intelligence data from data that was seen.\n", + "name": "matched", + "type": "keyword" + }, + { + "description": "Sources which supplied data for this match.\n", + "name": "sources", + "type": "keyword" + }, + { + "description": "If a file was associated with this intelligence hit, this is the uid for the file.\n", + "name": "fuid", + "type": "keyword" + }, + { + "description": "A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.\n", + "name": "file_mime_type", + "type": "keyword" + }, + { + "description": "Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.\n", + "name": "file_desc", + "type": "keyword" + } + ], + "name": "intel", + "type": "group" + } + ] + } + } + } + }, + "irc": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek IRC log\n", + "fields": [ + { + "description": "Nickname given for the connection.\n", + "name": "nick", + "type": "keyword" + }, + { + "description": "Username given for the connection.\n", + "name": "user", + "type": "keyword" + }, + { + "description": "Command given by the client.\n", + "name": "command", + "type": "keyword" + }, + { + "description": "Value for the command given by the client.\n", + "name": "value", + "type": "keyword" + }, + { + "description": "Any additional data for the command.\n", + "name": "addl", + "type": "keyword" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Present if base/protocols/irc/dcc-send.bro is loaded.\nDCC filename requested.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Present if base/protocols/irc/dcc-send.bro is loaded.\nSize of the DCC transfer as indicated by the sender.\n", + "name": "size", + "type": "long" + } + ], + "name": "file", + "type": "group" + }, + { + "description": "present if base/protocols/irc/dcc-send.bro is loaded.\nSniffed mime type of the file.\n", + "name": "mime_type", + "type": "keyword" + } + ], + "name": "dcc", + "type": "group" + }, + { + "description": "present if base/protocols/irc/files.bro is loaded.\nFile unique ID.\n", + "name": "fuid", + "type": "keyword" + } + ], + "name": "irc", + "type": "group" + } + ] + } + } + } + }, + "kerberos": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek Kerberos log\n", + "fields": [ + { + "description": "Request type - Authentication Service (AS) or Ticket Granting Service (TGS).\n", + "name": "request_type", + "type": "keyword" + }, + { + "description": "Client name.\n", + "name": "client", + "type": "keyword" + }, + { + "description": "Service name.\n", + "name": "service", + "type": "keyword" + }, + { + "description": "Request result.\n", + "name": "success", + "type": "boolean" + }, + { + "fields": [ + { + "description": "Error code.\n", + "name": "code", + "type": "integer" + }, + { + "description": "Error message.\n", + "name": "msg", + "type": "keyword" + } + ], + "name": "error", + "type": "group" + }, + { + "fields": [ + { + "description": "Ticket valid from.\n", + "name": "from", + "type": "date" + }, + { + "description": "Ticket valid until.\n", + "name": "until", + "type": "date" + }, + { + "description": "Number of days the ticket is valid for.\n", + "name": "days", + "type": "integer" + } + ], + "name": "valid", + "type": "group" + }, + { + "description": "Ticket encryption type.\n", + "name": "cipher", + "type": "keyword" + }, + { + "description": "Forwardable ticket requested.\n", + "name": "forwardable", + "type": "boolean" + }, + { + "description": "Renewable ticket requested.\n", + "name": "renewable", + "type": "boolean" + }, + { + "fields": [ + { + "description": "Hash of ticket used to authorize request/transaction.\n", + "name": "auth", + "type": "keyword" + }, + { + "description": "Hash of ticket returned by the KDC.\n", + "name": "new", + "type": "keyword" + } + ], + "name": "ticket", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Client certificate.\n", + "name": "value", + "type": "keyword" + }, + { + "description": "File unique ID of client cert.\n", + "name": "fuid", + "type": "keyword" + }, + { + "description": "Subject of client certificate.\n", + "name": "subject", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + }, + { + "fields": [ + { + "description": "Server certificate.\n", + "name": "value", + "type": "keyword" + }, + { + "description": "File unique ID of server certificate.\n", + "name": "fuid", + "type": "keyword" + }, + { + "description": "Subject of server certificate.\n", + "name": "subject", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "cert", + "type": "group" + } + ], + "name": "kerberos", + "type": "group" + } + ] + } + } + } + }, + "modbus": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek modbus log.\n", + "fields": [ + { + "description": "The name of the function message that was sent.\n", + "name": "function", + "type": "keyword" + }, + { + "description": "The exception if the response was a failure.\n", + "name": "exception", + "type": "keyword" + }, + { + "description": "Present if policy/protocols/modbus/track-memmap.bro is loaded.\nModbus track address.\n", + "name": "track_address", + "type": "integer" + } + ], + "name": "modbus", + "type": "group" + } + ] + } + } + } + }, + "mysql": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek MySQL log.\n", + "fields": [ + { + "description": "The command that was issued.\n", + "name": "cmd", + "type": "keyword" + }, + { + "description": "The argument issued to the command.\n", + "name": "arg", + "type": "keyword" + }, + { + "description": "Whether the command succeeded.\n", + "name": "success", + "type": "boolean" + }, + { + "description": "The number of affected rows, if any.\n", + "name": "rows", + "type": "integer" + }, + { + "description": "Server message, if any.\n", + "name": "response", + "type": "keyword" + } + ], + "name": "mysql", + "type": "group" + } + ] + } + } + } + }, + "notice": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Fields exported by the Zeek Notice log.\n", + "fields": [ + { + "description": "Identifier of the related connection session.\n", + "name": "connection_id", + "type": "keyword" + }, + { + "description": "Identifier of the related ICMP session.\n", + "name": "icmp_id", + "type": "keyword" + }, + { + "description": "An identifier associated with a single file that is related to this notice.\n", + "name": "file.id", + "type": "keyword" + }, + { + "description": "Identifier associated with a container file from which this one was extracted.\n", + "name": "file.parent_id", + "type": "keyword" + }, + { + "description": "An identification of the source of the file data. E.g. it may be a network protocol\nover which it was transferred, or a local file path which was read, or some other\ninput source.\n", + "name": "file.source", + "type": "keyword" + }, + { + "description": "A mime type if the notice is related to a file.\n", + "name": "file.mime_type", + "type": "keyword" + }, + { + "description": "If the source of this file is a network connection, this field indicates if the file is\nbeing sent by the originator of the connection or the responder.\n", + "name": "file.is_orig", + "type": "boolean" + }, + { + "description": "Number of bytes provided to the file analysis engine for the file.\n", + "name": "file.seen_bytes", + "type": "long" + }, + { + "description": "Total number of bytes that are supposed to comprise the full file.\n", + "name": "ffile.total_bytes", + "type": "long" + }, + { + "description": "The number of bytes in the file stream that were completely missed during the process\nof analysis.\n", + "name": "file.missing_bytes", + "type": "long" + }, + { + "description": "The number of bytes in the file stream that were not delivered to stream file analyzers.\nThis could be overlapping bytes or bytes that couldn't be reassembled.\n", + "name": "file.overflow_bytes", + "type": "long" + }, + { + "description": "A file unique ID if this notice is related to a file.\n", + "name": "fuid", + "type": "keyword" + }, + { + "description": "The type of the notice.\n", + "name": "note", + "type": "keyword" + }, + { + "description": "The human readable message for the notice.\n", + "name": "msg", + "type": "keyword" + }, + { + "description": "The human readable sub-message.\n", + "name": "sub", + "type": "keyword" + }, + { + "description": "Associated count, or a status code.\n", + "name": "n", + "type": "long" + }, + { + "description": "Name of remote peer that raised this notice.\n", + "name": "peer_name", + "type": "keyword" + }, + { + "description": "Textual description for the peer that raised this notice.\n", + "name": "peer_descr", + "type": "text" + }, + { + "description": "The actions which have been applied to this notice.\n", + "name": "actions", + "type": "keyword" + }, + { + "description": "By adding chunks of text into this element, other scripts can expand on notices\nthat are being emailed.\n", + "name": "email_body_sections", + "type": "text" + }, + { + "description": "Adding a string token to this set will cause the built-in emailing functionality\nto delay sending the email either the token has been removed or the email\nhas been delayed for the specified time duration.\n", + "name": "email_delay_tokens", + "type": "keyword" + }, + { + "description": "This field is provided when a notice is generated for the purpose of deduplicating notices.\n", + "name": "identifier", + "type": "keyword" + }, + { + "description": "This field indicates the length of time that this unique notice should be suppressed.\n", + "name": "suppress_for", + "type": "double" + }, + { + "description": "Indicate if the source IP address was dropped and denied network access.\n", + "name": "dropped", + "type": "boolean" + } + ], + "name": "notice", + "type": "group" + } + ] + } + } + } + }, + "ntlm": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek NTLM log.\n", + "fields": [ + { + "description": "Domain name given by the client.\n", + "name": "domain", + "type": "keyword" + }, + { + "description": "Hostname given by the client.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Indicate whether or not the authentication was successful.\n", + "name": "success", + "type": "boolean" + }, + { + "description": "Username given by the client.\n", + "name": "username", + "type": "keyword" + }, + { + "fields": [ + { + "fields": [ + { + "description": "DNS name given by the server in a CHALLENGE.\n", + "name": "dns", + "type": "keyword" + }, + { + "description": "NetBIOS name given by the server in a CHALLENGE.\n", + "name": "netbios", + "type": "keyword" + }, + { + "description": "Tree name given by the server in a CHALLENGE.\n", + "name": "tree", + "type": "keyword" + } + ], + "name": "name", + "type": "group" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "ntlm", + "type": "group" + } + ] + } + } + } + }, + "ocsp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek OCSP log\nOnline Certificate Status Protocol (OCSP). Only created if policy script is loaded.\n", + "fields": [ + { + "description": "File id of the OCSP reply.\n", + "name": "file_id", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Hash algorithm used to generate issuerNameHash and issuerKeyHash.\n", + "name": "algorithm", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Hash of the issuer's distingueshed name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Hash of the issuer's public key.\n", + "name": "key", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + } + ], + "name": "hash", + "type": "group" + }, + { + "description": "Serial number of the affected certificate.\n", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "Status of the affected certificate.\n", + "name": "status", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Time at which the certificate was revoked.\n", + "name": "time", + "type": "date" + }, + { + "description": "Reason for which the certificate was revoked.\n", + "name": "reason", + "type": "keyword" + } + ], + "name": "revoke", + "type": "group" + }, + { + "fields": [ + { + "description": "The time at which the status being shows is known to have been correct.\n", + "name": "this", + "type": "date" + }, + { + "description": "The latest time at which new information about the status of the certificate will be available.\n", + "name": "next", + "type": "date" + } + ], + "name": "update", + "type": "group" + } + ], + "name": "ocsp", + "type": "group" + } + ] + } + } + } + }, + "pe": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek pe log.\n", + "fields": [ + { + "description": "The client's version string.\n", + "name": "client", + "type": "keyword" + }, + { + "description": "File id of this portable executable file.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The target machine that the file was compiled for.\n", + "name": "machine", + "type": "keyword" + }, + { + "description": "The time that the file was created at.\n", + "name": "compile_time", + "type": "date" + }, + { + "description": "The required operating system.\n", + "name": "os", + "type": "keyword" + }, + { + "description": "The subsystem that is required to run this file.\n", + "name": "subsystem", + "type": "keyword" + }, + { + "description": "Is the file an executable, or just an object file?\n", + "name": "is_exe", + "type": "boolean" + }, + { + "description": "Is the file a 64-bit executable?\n", + "name": "is_64bit", + "type": "boolean" + }, + { + "description": "Does the file support Address Space Layout Randomization?\n", + "name": "uses_aslr", + "type": "boolean" + }, + { + "description": "Does the file support Data Execution Prevention?\n", + "name": "uses_dep", + "type": "boolean" + }, + { + "description": "Does the file enforce code integrity checks?\n", + "name": "uses_code_integrity", + "type": "boolean" + }, + { + "description": "Does the file use structured exception handing?\n", + "name": "uses_seh", + "type": "boolean" + }, + { + "description": "Does the file have an import table?\n", + "name": "has_import_table", + "type": "boolean" + }, + { + "description": "Does the file have an export table?\n", + "name": "has_export_table", + "type": "boolean" + }, + { + "description": "Does the file have an attribute certificate table?\n", + "name": "has_cert_table", + "type": "boolean" + }, + { + "description": "Does the file have a debug table?\n", + "name": "has_debug_data", + "type": "boolean" + }, + { + "description": "The names of the sections, in order.\n", + "name": "section_names", + "type": "keyword" + } + ], + "name": "pe", + "type": "group" + } + ] + } + } + } + }, + "radius": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek Radius log.\n", + "fields": [ + { + "description": "The username, if present.\n", + "name": "username", + "type": "keyword" + }, + { + "description": "MAC address, if present.\n", + "name": "mac", + "type": "keyword" + }, + { + "description": "The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.\n", + "name": "framed_addr", + "type": "ip" + }, + { + "description": "Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.\n", + "name": "remote_ip", + "type": "ip" + }, + { + "description": "Connect info, if present.\n", + "name": "connect_info", + "type": "keyword" + }, + { + "description": "Reply message from the server challenge. This is frequently shown to the user authenticating.\n", + "name": "reply_msg", + "type": "keyword" + }, + { + "description": "Successful or failed authentication.\n", + "name": "result", + "type": "keyword" + }, + { + "description": "The duration between the first request and either the \"Access-Accept\" message or an error. If the field is empty, it means that either the request or response was not seen.\n", + "name": "ttl", + "type": "integer" + }, + { + "description": "Whether this has already been logged and can be ignored.\n", + "name": "logged", + "type": "boolean" + } + ], + "name": "radius", + "type": "group" + } + ] + } + } + } + }, + "rdp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek RDP log.\n", + "fields": [ + { + "description": "Cookie value used by the client machine. This is typically a username.\n", + "name": "cookie", + "type": "keyword" + }, + { + "description": "Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.\n", + "name": "result", + "type": "keyword" + }, + { + "description": "Security protocol chosen by the server.\n", + "name": "security_protocol", + "type": "keyword" + }, + { + "description": "Keyboard layout (language) of the client machine.\n", + "name": "keyboard_layout", + "type": "keyword" + }, + { + "fields": [ + { + "description": "RDP client version used by the client machine.\n", + "name": "build", + "type": "keyword" + }, + { + "description": "Name of the client machine.\n", + "name": "client_name", + "type": "keyword" + }, + { + "description": "Product ID of the client machine.\n", + "name": "product_id", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + }, + { + "fields": [ + { + "description": "Desktop width of the client machine.\n", + "name": "width", + "type": "integer" + }, + { + "description": "Desktop height of the client machine.\n", + "name": "height", + "type": "integer" + }, + { + "description": "The color depth requested by the client in the high_color_depth field.\n", + "name": "color_depth", + "type": "keyword" + } + ], + "name": "desktop", + "type": "group" + }, + { + "fields": [ + { + "description": "If the connection is being encrypted with native RDP encryption, this is the type of cert being used.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The number of certs seen. X.509 can transfer an entire certificate chain.\n", + "name": "count", + "type": "integer" + }, + { + "description": "Indicates if the provided certificate or certificate chain is permanent or temporary.\n", + "name": "permanent", + "type": "boolean" + } + ], + "name": "cert", + "type": "group" + }, + { + "fields": [ + { + "description": "Encryption level of the connection.\n", + "name": "level", + "type": "keyword" + }, + { + "description": "Encryption method of the connection.\n", + "name": "method", + "type": "keyword" + } + ], + "name": "encryption", + "type": "group" + }, + { + "description": "Track status of logging RDP connections.\n", + "name": "done", + "type": "boolean" + }, + { + "description": "(present if policy/protocols/rdp/indicate_ssl.bro is loaded)\nFlag the connection if it was seen over SSL.\n", + "name": "ssl", + "type": "boolean" + } + ], + "name": "rdp", + "type": "group" + } + ] + } + } + } + }, + "rfb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek RFB log.\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Major version of the client.\n", + "name": "major", + "type": "keyword" + }, + { + "description": "Minor version of the client.\n", + "name": "minor", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + }, + { + "fields": [ + { + "description": "Major version of the server.\n", + "name": "major", + "type": "keyword" + }, + { + "description": "Minor version of the server.\n", + "name": "minor", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "version", + "type": "group" + }, + { + "fields": [ + { + "description": "Whether or not authentication was successful.\n", + "name": "success", + "type": "boolean" + }, + { + "description": "Identifier of authentication method used.\n", + "name": "method", + "type": "keyword" + } + ], + "name": "auth", + "type": "group" + }, + { + "description": "Whether the client has an exclusive or a shared session.\n", + "name": "share_flag", + "type": "boolean" + }, + { + "description": "Name of the screen that is being shared.\n", + "name": "desktop_name", + "type": "keyword" + }, + { + "description": "Width of the screen that is being shared.\n", + "name": "width", + "type": "integer" + }, + { + "description": "Height of the screen that is being shared.\n", + "name": "height", + "type": "integer" + } + ], + "name": "rfb", + "type": "group" + } + ] + } + } + } + }, + "sip": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SIP log.\n", + "fields": [ + { + "description": "Represents the pipelined depth into the connection of this request/response transaction.\n", + "name": "transaction_depth", + "type": "integer" + }, + { + "fields": [ + { + "description": "Verb used in the SIP request (INVITE, REGISTER etc.).\n", + "name": "method", + "type": "keyword" + }, + { + "description": "Contents of the CSeq: header from the client.\n", + "name": "number", + "type": "keyword" + } + ], + "name": "sequence", + "type": "group" + }, + { + "description": "URI used in the request.\n", + "name": "uri", + "type": "keyword" + }, + { + "description": "Contents of the Date: header from the client.\n", + "name": "date", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.\n", + "name": "from", + "type": "keyword" + }, + { + "description": "Contents of the To: header.\n", + "name": "to", + "type": "keyword" + }, + { + "description": "The client message transmission path, as extracted from the headers.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Contents of the Content-Length: header from the client.\n", + "name": "body_length", + "type": "long" + } + ], + "name": "request", + "type": "group" + }, + { + "fields": [ + { + "description": "Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.\n", + "name": "from", + "type": "keyword" + }, + { + "description": "Contents of the response To: header.\n", + "name": "to", + "type": "keyword" + }, + { + "description": "The server message transmission path, as extracted from the headers.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Contents of the Content-Length: header from the server.\n", + "name": "body_length", + "type": "long" + } + ], + "name": "response", + "type": "group" + }, + { + "description": "Contents of the Reply-To: header.\n", + "name": "reply_to", + "type": "keyword" + }, + { + "description": "Contents of the Call-ID: header from the client.\n", + "name": "call_id", + "type": "keyword" + }, + { + "description": "Contents of the Subject: header from the client.\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "Contents of the User-Agent: header from the client.\n", + "name": "user_agent", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Status code returned by the server.\n", + "name": "code", + "type": "integer" + }, + { + "description": "Status message returned by the server.\n", + "name": "msg", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + }, + { + "description": "Contents of the Warning: header.\n", + "name": "warning", + "type": "keyword" + }, + { + "description": "Contents of the Content-Type: header from the server.\n", + "name": "content_type", + "type": "keyword" + } + ], + "name": "sip", + "type": "group" + } + ] + } + } + } + }, + "smb_cmd": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek smb_cmd log.\n", + "fields": [ + { + "description": "The command sent by the client.\n", + "name": "command", + "type": "keyword" + }, + { + "description": "The subcommand sent by the client, if present.\n", + "name": "sub_command", + "type": "keyword" + }, + { + "description": "Command argument sent by the client, if any.\n", + "name": "argument", + "type": "keyword" + }, + { + "description": "Server reply to the client's command.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Round trip time from the request to the response.\n", + "name": "rtt", + "type": "double" + }, + { + "description": "Version of SMB for the command.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Authenticated username, if available.\n", + "name": "username", + "type": "keyword" + }, + { + "description": "If this is related to a tree, this is the tree that was used for the current command.\n", + "name": "tree", + "type": "keyword" + }, + { + "description": "The type of tree (disk share, printer share, named pipe, etc.).\n", + "name": "tree_service", + "type": "keyword" + }, + { + "description": "If the command referenced a file, store it here.\n", + "fields": [ + { + "description": "Filename if one was seen.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Action this log record represents.\n", + "name": "action", + "type": "keyword" + }, + { + "description": "UID of the referenced file.\n", + "name": "uid", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Address of the transmitting host.\n", + "name": "tx", + "type": "ip" + }, + { + "description": "Address of the receiving host.\n", + "name": "rx", + "type": "ip" + } + ], + "name": "host", + "type": "group" + } + ], + "name": "file", + "type": "group" + }, + { + "description": "Present if base/protocols/smb/smb1-main.bro is loaded.\nDialects offered by the client.\n", + "name": "smb1_offered_dialects", + "type": "keyword" + }, + { + "description": "Present if base/protocols/smb/smb2-main.bro is loaded.\nDialects offered by the client.\n", + "name": "smb2_offered_dialects", + "type": "integer" + } + ], + "name": "smb_cmd", + "type": "group" + } + ] + } + } + } + }, + "smb_files": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SMB Files log.\n", + "fields": [ + { + "description": "Action this log record represents.\n", + "name": "action", + "type": "keyword" + }, + { + "description": "ID referencing this file.\n", + "name": "fid", + "type": "integer" + }, + { + "description": "Filename if one was seen.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Path pulled from the tree this file was transferred to or from.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "If the rename action was seen, this will be the file's previous name.\n", + "name": "previous_name", + "type": "keyword" + }, + { + "description": "Byte size of the file.\n", + "name": "size", + "type": "long" + }, + { + "description": "Timestamps of the file.\n", + "fields": [ + { + "description": "The file's access time.\n", + "name": "accessed", + "type": "date" + }, + { + "description": "The file's change time.\n", + "name": "changed", + "type": "date" + }, + { + "description": "The file's create time.\n", + "name": "created", + "type": "date" + }, + { + "description": "The file's modify time.\n", + "name": "modified", + "type": "date" + } + ], + "name": "times", + "type": "group" + }, + { + "description": "UUID referencing this file if DCE/RPC.\n", + "name": "uuid", + "type": "keyword" + } + ], + "name": "smb_files", + "type": "group" + } + ] + } + } + } + }, + "smb_mapping": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SMB_Mapping log.\n", + "fields": [ + { + "description": "Name of the tree path.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "The type of resource of the tree (disk share, printer share, named pipe, etc.).\n", + "name": "service", + "type": "keyword" + }, + { + "description": "File system of the tree.\n", + "name": "native_file_system", + "type": "keyword" + }, + { + "description": "If this is SMB2, a share type will be included. For SMB1, the type of share\nwill be deduced and included as well.\n", + "name": "share_type", + "type": "keyword" + } + ], + "name": "smb_mapping", + "type": "group" + } + ] + } + } + } + }, + "smtp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SMTP log.\n", + "fields": [ + { + "description": "A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.\n", + "name": "transaction_depth", + "type": "integer" + }, + { + "description": "Contents of the Helo header.\n", + "name": "helo", + "type": "keyword" + }, + { + "description": "Email addresses found in the MAIL FROM header.\n", + "name": "mail_from", + "type": "keyword" + }, + { + "description": "Email addresses found in the RCPT TO header.\n", + "name": "rcpt_to", + "type": "keyword" + }, + { + "description": "Contents of the Date header.\n", + "name": "date", + "type": "date" + }, + { + "description": "Contents of the From header.\n", + "name": "from", + "type": "keyword" + }, + { + "description": "Contents of the To header.\n", + "name": "to", + "type": "keyword" + }, + { + "description": "Contents of the CC header.\n", + "name": "cc", + "type": "keyword" + }, + { + "description": "Contents of the ReplyTo header.\n", + "name": "reply_to", + "type": "keyword" + }, + { + "description": "Contents of the MsgID header.\n", + "name": "msg_id", + "type": "keyword" + }, + { + "description": "Contents of the In-Reply-To header.\n", + "name": "in_reply_to", + "type": "keyword" + }, + { + "description": "Contents of the Subject header.\n", + "name": "subject", + "type": "keyword" + }, + { + "description": "Contents of the X-Originating-IP header.\n", + "name": "x_originating_ip", + "type": "keyword" + }, + { + "description": "Contents of the first Received header.\n", + "name": "first_received", + "type": "keyword" + }, + { + "description": "Contents of the second Received header.\n", + "name": "second_received", + "type": "keyword" + }, + { + "description": "The last message that the server sent to the client.\n", + "name": "last_reply", + "type": "keyword" + }, + { + "description": "The message transmission path, as extracted from the headers.\n", + "name": "path", + "type": "ip" + }, + { + "description": "Value of the User-Agent header from the client.\n", + "name": "user_agent", + "type": "keyword" + }, + { + "description": "Indicates that the connection has switched to using TLS.\n", + "name": "tls", + "type": "boolean" + }, + { + "description": "Indicates if the \"Received: from\" headers should still be processed.\n", + "name": "process_received_from", + "type": "boolean" + }, + { + "description": "Indicates if client activity has been seen, but not yet logged.\n", + "name": "has_client_activity", + "type": "boolean" + }, + { + "description": "(present if base/protocols/smtp/files.bro is loaded)\nAn ordered vector of file unique IDs seen attached to the message.\n", + "name": "fuids", + "type": "keyword" + }, + { + "description": "Indicates if the message was sent through a webmail interface.\n", + "name": "is_webmail", + "type": "boolean" + } + ], + "name": "smtp", + "type": "group" + } + ] + } + } + } + }, + "snmp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SNMP log.\n", + "fields": [ + { + "description": "The amount of time between the first packet beloning to the SNMP session and the latest one seen.\n", + "name": "duration", + "type": "double" + }, + { + "description": "The version of SNMP being used.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.\n", + "name": "community", + "type": "keyword" + }, + { + "fields": [ + { + "description": "The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.\n", + "name": "requests", + "type": "integer" + }, + { + "description": "The number of variable bindings in GetBulkRequest PDUs seen for the session.\n", + "name": "bulk_requests", + "type": "integer" + }, + { + "description": "The number of variable bindings in GetResponse/Response PDUs seen for the session.\n", + "name": "responses", + "type": "integer" + } + ], + "name": "get", + "type": "group" + }, + { + "fields": [ + { + "description": "The number of variable bindings in SetRequest PDUs seen for the session.\n", + "name": "requests", + "type": "integer" + } + ], + "name": "set", + "type": "group" + }, + { + "description": "A system description of the SNMP responder endpoint.\n", + "name": "display_string", + "type": "keyword" + }, + { + "description": "The time at which the SNMP responder endpoint claims it's been up since.\n", + "name": "up_since", + "type": "date" + } + ], + "name": "snmp", + "type": "group" + } + ] + } + } + } + }, + "socks": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SOCKS log.\n", + "fields": [ + { + "description": "Protocol version of SOCKS.\n", + "name": "version", + "type": "integer" + }, + { + "description": "Username used to request a login to the proxy.\n", + "name": "user", + "type": "keyword" + }, + { + "description": "Password used to request a login to the proxy.\n", + "name": "password", + "type": "keyword" + }, + { + "description": "Server status for the attempt at using the proxy.\n", + "name": "status", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Client requested SOCKS address. Could be an address, a name or both.\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Client requested port.\n", + "name": "port", + "type": "integer" + } + ], + "name": "request", + "type": "group" + }, + { + "fields": [ + { + "description": "Server bound address. Could be an address, a name or both.\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Server bound port.\n", + "name": "port", + "type": "integer" + } + ], + "name": "bound", + "type": "group" + }, + { + "description": "Determines if the password will be captured for this request.\n", + "name": "capture_password", + "type": "boolean" + } + ], + "name": "socks", + "type": "group" + } + ] + } + } + } + }, + "ssh": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SSH log.\n", + "fields": [ + { + "description": "The client's version string.\n", + "name": "client", + "type": "keyword" + }, + { + "description": "Direction of the connection. If the client was a local host logging into\nan external host, this would be OUTBOUND. INBOUND would be set for the\nopposite situation.\n", + "name": "direction", + "type": "keyword" + }, + { + "description": "The server's key thumbprint.\n", + "name": "host_key", + "type": "keyword" + }, + { + "description": "The server's version string.\n", + "name": "server", + "type": "keyword" + }, + { + "description": "SSH major version (1 or 2).\n", + "name": "version", + "type": "integer" + }, + { + "description": "Cipher algorithms used in this session.\n", + "fields": [ + { + "description": "The encryption algorithm in use.\n", + "name": "cipher", + "type": "keyword" + }, + { + "description": "The compression algorithm in use.\n", + "name": "compression", + "type": "keyword" + }, + { + "description": "The server host key's algorithm.\n", + "name": "host_key", + "type": "keyword" + }, + { + "description": "The key exchange algorithm in use.\n", + "name": "key_exchange", + "type": "keyword" + }, + { + "description": "The signing (MAC) algorithm in use.\n", + "name": "mac", + "type": "keyword" + } + ], + "name": "algorithm", + "type": "group" + }, + { + "fields": [ + { + "description": "The number of authentication attemps we observed. There's always at\nleast one, since some servers might support no authentication at all.\nIt's important to note that not all of these are failures, since some\nservers require two-factor auth (e.g. password AND pubkey).\n", + "name": "attempts", + "type": "integer" + }, + { + "description": "Authentication result.\n", + "name": "success", + "type": "boolean" + } + ], + "name": "auth", + "type": "group" + } + ], + "name": "ssh", + "type": "group" + } + ] + } + } + } + }, + "ssl": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SSL log.\n", + "fields": [ + { + "description": "SSL/TLS version that was logged.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "SSL/TLS cipher suite that was logged.\n", + "name": "cipher", + "type": "keyword" + }, + { + "description": "Elliptic curve that was logged when using ECDH/ECDHE.\n", + "name": "curve", + "type": "keyword" + }, + { + "description": "Flag to indicate if the session was resumed reusing the key material exchanged in an\nearlier connection.\n", + "name": "resumed", + "type": "boolean" + }, + { + "description": "Next protocol the server chose using the application layer next protocol extension.\n", + "name": "next_protocol", + "type": "keyword" + }, + { + "description": "Flag to indicate if this ssl session has been established successfully.\n", + "name": "established", + "type": "boolean" + }, + { + "fields": [ + { + "description": "Result of certificate validation for this connection.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Result of certificate validation for this connection, given as OpenSSL validation code.\n", + "name": "code", + "type": "keyword" + } + ], + "name": "validation", + "type": "group" + }, + { + "description": "Last alert that was seen during the connection.\n", + "name": "last_alert", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Value of the Server Name Indicator SSL/TLS extension. It indicates the server name\nthat the client was requesting.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Chain of certificates offered by the server to validate its complete signing chain.\n", + "name": "cert_chain", + "type": "keyword" + }, + { + "description": "An ordered vector of certificate file identifiers for the certificates offered by the server.\n", + "name": "cert_chain_fuids", + "type": "keyword" + }, + { + "description": "Subject of the signer of the X.509 certificate offered by the server.\n", + "fields": [ + { + "description": "Common name of the signer of the X.509 certificate offered by the server.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Country code of the signer of the X.509 certificate offered by the server.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Locality of the signer of the X.509 certificate offered by the server.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization of the signer of the X.509 certificate offered by the server.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit of the signer of the X.509 certificate offered by the server.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province name of the signer of the X.509 certificate offered by the server.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + }, + { + "description": "Subject of the X.509 certificate offered by the server.\n", + "fields": [ + { + "description": "Common name of the X.509 certificate offered by the server.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Country code of the X.509 certificate offered by the server.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Locality of the X.509 certificate offered by the server.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization of the X.509 certificate offered by the server.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit of the X.509 certificate offered by the server.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province name of the X.509 certificate offered by the server.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + } + ], + "name": "server", + "type": "group" + }, + { + "fields": [ + { + "description": "Chain of certificates offered by the client to validate its complete signing chain.\n", + "name": "cert_chain", + "type": "keyword" + }, + { + "description": "An ordered vector of certificate file identifiers for the certificates offered by the client.\n", + "name": "cert_chain_fuids", + "type": "keyword" + }, + { + "description": "Subject of the signer of the X.509 certificate offered by the client.\n", + "fields": [ + { + "description": "Common name of the signer of the X.509 certificate offered by the client.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Country code of the signer of the X.509 certificate offered by the client.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Locality of the signer of the X.509 certificate offered by the client.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization of the signer of the X.509 certificate offered by the client.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit of the signer of the X.509 certificate offered by the client.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province name of the signer of the X.509 certificate offered by the client.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + }, + { + "description": "Subject of the X.509 certificate offered by the client.\n", + "fields": [ + { + "description": "Common name of the X.509 certificate offered by the client.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Country code of the X.509 certificate offered by the client.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Locality of the X.509 certificate offered by the client.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization of the X.509 certificate offered by the client.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit of the X.509 certificate offered by the client.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province name of the X.509 certificate offered by the client.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + } + ], + "name": "client", + "type": "group" + } + ], + "name": "ssl", + "type": "group" + } + ] + } + } + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek stats log.\n", + "fields": [ + { + "description": "Peer that generated this log. Mostly for clusters.\n", + "name": "peer", + "type": "keyword" + }, + { + "description": "Amount of memory currently in use in MB.\n", + "name": "memory", + "type": "integer" + }, + { + "fields": [ + { + "description": "Number of packets processed since the last stats interval.\n", + "name": "processed", + "type": "long" + }, + { + "description": "Number of packets dropped since the last stats interval if reading live traffic.\n", + "name": "dropped", + "type": "long" + }, + { + "description": "Number of packets seen on the link since the last stats interval if reading live traffic.\n", + "name": "received", + "type": "long" + } + ], + "name": "packets", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of bytes received since the last stats interval if reading live traffic.\n", + "name": "received", + "type": "long" + } + ], + "name": "bytes", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "TCP connections currently in memory.\n", + "name": "active", + "type": "integer" + }, + { + "description": "TCP connections seen since last stats interval.\n", + "name": "count", + "type": "integer" + } + ], + "name": "tcp", + "type": "group" + }, + { + "fields": [ + { + "description": "UDP connections currently in memory.\n", + "name": "active", + "type": "integer" + }, + { + "description": "UDP connections seen since last stats interval.\n", + "name": "count", + "type": "integer" + } + ], + "name": "udp", + "type": "group" + }, + { + "fields": [ + { + "description": "ICMP connections currently in memory.\n", + "name": "active", + "type": "integer" + }, + { + "description": "ICMP connections seen since last stats interval.\n", + "name": "count", + "type": "integer" + } + ], + "name": "icmp", + "type": "group" + } + ], + "name": "connections", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of events processed since the last stats interval.\n", + "name": "processed", + "type": "integer" + }, + { + "description": "Number of events that have been queued since the last stats interval.\n", + "name": "queued", + "type": "integer" + } + ], + "name": "events", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of timers scheduled since last stats interval.\n", + "name": "count", + "type": "integer" + }, + { + "description": "Current number of scheduled timers.\n", + "name": "active", + "type": "integer" + } + ], + "name": "timers", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of files seen since last stats interval.\n", + "name": "count", + "type": "integer" + }, + { + "description": "Current number of files actively being seen.\n", + "name": "active", + "type": "integer" + } + ], + "name": "files", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of DNS requests seen since last stats interval.\n", + "name": "count", + "type": "integer" + }, + { + "description": "Current number of DNS requests awaiting a reply.\n", + "name": "active", + "type": "integer" + } + ], + "name": "dns_requests", + "type": "group" + }, + { + "fields": [ + { + "description": "Current size of TCP data in reassembly.\n", + "name": "tcp", + "type": "integer" + }, + { + "description": "Current size of File data in reassembly.\n", + "name": "file", + "type": "integer" + }, + { + "description": "Current size of packet fragment data in reassembly.\n", + "name": "frag", + "type": "integer" + }, + { + "description": "Current size of unknown data in reassembly (this is only PIA buffer right now).\n", + "name": "unknown", + "type": "integer" + } + ], + "name": "reassembly_size", + "type": "group" + }, + { + "description": "Lag between the wall clock and packet timestamps if reading live traffic.\n", + "name": "timestamp_lag", + "type": "integer" + } + ], + "name": "stats", + "type": "group" + } + ] + } + } + } + }, + "syslog": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek syslog log.\n", + "fields": [ + { + "description": "Syslog facility for the message.\n", + "name": "facility", + "type": "keyword" + }, + { + "description": "Syslog severity for the message.\n", + "name": "severity", + "type": "keyword" + }, + { + "description": "The plain text message.\n", + "name": "message", + "type": "keyword" + } + ], + "name": "syslog", + "type": "group" + } + ] + } + } + } + }, + "tunnel": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek SSH log.\n", + "fields": [ + { + "description": "The type of tunnel.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The type of activity that occurred.\n", + "name": "action", + "type": "keyword" + } + ], + "name": "tunnel", + "type": "group" + } + ] + } + } + } + }, + "weird": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek Weird log.\n", + "fields": [ + { + "description": "The name of the weird that occurred.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Additional information accompanying the weird if any.\n", + "name": "additional_info", + "type": "keyword" + }, + { + "description": "Indicate if this weird was also turned into a notice.\n", + "name": "notice", + "type": "boolean" + }, + { + "description": "The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.\n", + "name": "peer", + "type": "keyword" + }, + { + "description": "This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.\n", + "name": "identifier", + "type": "keyword" + } + ], + "name": "weird", + "type": "group" + } + ] + } + } + } + }, + "x509": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Fields exported by the Zeek x509 log.\n", + "fields": [ + { + "description": "File id of this certificate.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Basic information about the certificate.\n", + "fields": [ + { + "description": "Version number.\n", + "name": "version", + "type": "integer" + }, + { + "description": "Serial number.\n", + "name": "serial", + "type": "keyword" + }, + { + "description": "Subject.\n", + "fields": [ + { + "description": "Country provided in the certificate subject.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Common name provided in the certificate subject.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality provided in the certificate subject.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization provided in the certificate subject.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit provided in the certificate subject.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province provided in the certificate subject.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + }, + { + "description": "Issuer.\n", + "fields": [ + { + "description": "Country provided in the certificate issuer field.\n", + "name": "country", + "type": "keyword" + }, + { + "description": "Common name provided in the certificate issuer field.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality provided in the certificate issuer field.\n", + "name": "locality", + "type": "keyword" + }, + { + "description": "Organization provided in the certificate issuer field.\n", + "name": "organization", + "type": "keyword" + }, + { + "description": "Organizational unit provided in the certificate issuer field.\n", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "State or province provided in the certificate issuer field.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + }, + { + "description": "Last (most specific) common name.\n", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Certificate validity timestamps\n", + "fields": [ + { + "description": "Timestamp before when certificate is not valid.\n", + "name": "from", + "type": "date" + }, + { + "description": "Timestamp after when certificate is not valid.\n", + "name": "until", + "type": "date" + } + ], + "name": "valid", + "type": "group" + }, + { + "fields": [ + { + "description": "Name of the key algorithm.\n", + "name": "algorithm", + "type": "keyword" + }, + { + "description": "Key type, if key parseable by openssl (either rsa, dsa or ec).\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Key length in bits.\n", + "name": "length", + "type": "integer" + } + ], + "name": "key", + "type": "group" + }, + { + "description": "Name of the signature algorithm.\n", + "name": "signature_algorithm", + "type": "keyword" + }, + { + "description": "Exponent, if RSA-certificate.\n", + "name": "exponent", + "type": "keyword" + }, + { + "description": "Curve, if EC-certificate.\n", + "name": "curve", + "type": "keyword" + } + ], + "name": "certificate", + "type": "group" + }, + { + "description": "Subject alternative name extension of the certificate.\n", + "fields": [ + { + "description": "List of DNS entries in SAN.\n", + "name": "dns", + "type": "keyword" + }, + { + "description": "List of URI entries in SAN.\n", + "name": "uri", + "type": "keyword" + }, + { + "description": "List of email entries in SAN.\n", + "name": "email", + "type": "keyword" + }, + { + "description": "List of IP entries in SAN.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "True if the certificate contained other, not recognized or parsed name fields.\n", + "name": "other_fields", + "type": "boolean" + } + ], + "name": "san", + "type": "group" + }, + { + "description": "Basic constraints extension of the certificate.\n", + "fields": [ + { + "description": "CA flag set or not.\n", + "name": "certificate_authority", + "type": "boolean" + }, + { + "description": "Maximum path length.\n", + "name": "path_length", + "type": "integer" + } + ], + "name": "basic_constraints", + "type": "group" + }, + { + "description": "Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded\nLogging of certificate is suppressed if set to F.\n", + "name": "log_cert", + "type": "boolean" + } + ], + "name": "x509", + "type": "group" + } + ] + } + } + } + } + } + }, + "zscaler": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "zscaler", + "zia": { + "enabled": true + } + } + ], + "fields.yml": [ + { + "description": "zscaler fields.\n", + "fields": null, + "key": "zscaler", + "title": "Zscaler NSS" + } + ] + } + }, + "zia": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "default_field": false, + "description": "Name of the network interface where the traffic has been observed.\n", + "name": "network.interface.name", + "overwrite": true, + "type": "keyword" + }, + { + "default_field": false, + "fields": [ + { + "fields": [ + { + "description": "This key is used to capture the raw message that comes into the Log Decoder", + "name": "msg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "messageid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of instant messages", + "name": "message", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.", + "name": "time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "level", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "msg_vid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "data", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_server", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "obj_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "statement", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "audit_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "entry", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "hcode", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "inode", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "resource_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "dead", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_class", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "device_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "device_type_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "did", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration", + "name": "entropy_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "event_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "feed_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.", + "name": "forward_ip", + "overwrite": true, + "type": "ip" + }, + { + "description": "This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "forward_ipv6", + "overwrite": true, + "type": "ip" + }, + { + "description": "This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "header_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_cid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "lc_ctime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most", + "name": "mcb_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams", + "name": "mcbc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to identify if it\u2019s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session", + "name": "medium", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "node_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key denotes that event is endpoint related", + "name": "nwe_callback_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "parse_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep", + "name": "payload_res", + "overwrite": true, + "type": "long" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.", + "name": "process_vid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.", + "name": "process_vid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "rid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "session_split", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "site", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "size", + "overwrite": true, + "type": "long" + }, + { + "description": "This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "sourcefile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_req", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once", + "name": "ubc_res", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log", + "name": "word", + "overwrite": true, + "type": "keyword" + } + ], + "name": "internal", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form", + "name": "event_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the normalized duration/lifetime in seconds.", + "name": "duration_time", + "overwrite": true, + "type": "double" + }, + { + "description": "This key is used to capture the incomplete time mentioned in a session as a string", + "name": "event_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Start time mentioned in a session in a standard form", + "name": "starttime", + "overwrite": true, + "type": "date" + }, + { + "name": "month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "day", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the End time mentioned in a session in a standard form", + "name": "endtime", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is used to capture the timezone of the Event Time", + "name": "timezone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A text string version of the duration", + "name": "duration_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.", + "name": "recorded_time", + "overwrite": true, + "type": "date" + }, + { + "name": "datetime", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the effective time referenced by an individual event in a Standard Timestamp format", + "name": "effective_time", + "overwrite": true, + "type": "date" + }, + { + "description": "This key is the timestamp that explicitly refers to an expiration.", + "name": "expire_time", + "overwrite": true, + "type": "date" + }, + { + "description": "Deprecated, use duration.time", + "name": "process_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "hour", + "overwrite": true, + "type": "keyword" + }, + { + "name": "min", + "overwrite": true, + "type": "keyword" + }, + { + "name": "timestamp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Time that the event was queued.", + "name": "event_queue_time", + "overwrite": true, + "type": "date" + }, + { + "name": "p_time1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tzone", + "overwrite": true, + "type": "keyword" + }, + { + "name": "eventtime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmtdate", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gmttime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_date", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_month", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_time2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_year", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture incomplete timestamp that explicitly refers to an expiration.", + "name": "expire_time_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "stamp", + "overwrite": true, + "type": "date" + } + ], + "name": "time", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "name": "action", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result string value of an action in a session.", + "name": "result", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the severity given the session", + "name": "severity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the event category type as specified by the event source.", + "name": "event_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture an event id from the session directly", + "name": "reference_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version of the application or OS which is generating the event.", + "name": "version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The end state of an action.", + "name": "disposition", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the outcome/result numeric value of an action in a session", + "name": "result_code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the category of an event given by the vendor in the session", + "name": "category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of object", + "name": "obj_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture type of object", + "name": "obj_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source of the event that\u2019s not a hostname", + "name": "event_source", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a sessionid from the session directly", + "name": "log_session_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Group Name value", + "name": "group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy Name only.", + "name": "policy_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule Name", + "name": "rule_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Information which adds additional context to the event.", + "name": "context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the new values of the attribute that\u2019s changing in a session", + "name": "change_new", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.", + "name": "client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the old value of the attribute that\u2019s changing in a session", + "name": "change_old", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An alert number or operation number. The values should be unique and non-repeating.", + "name": "operation_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the current state of the object/item referenced within the event. Describing an on-going event.", + "name": "event_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a collection/grouping of entities. Specific usage", + "name": "group_object", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Common use case is the node name within a cluster. The cluster name is reflected by the host name.", + "name": "node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule number", + "name": "rule", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc", + "name": "device_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the parameters passed as part of a command or application, etc.", + "name": "param", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of the attribute that\u2019s changing in a session", + "name": "change_attrib", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.", + "name": "event_computer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Linked ID to be used as an addition to \"reference.id\"", + "name": "reference_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the event log", + "name": "event_log", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Name of the Operating System", + "name": "OS", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Terminal Names only", + "name": "terminal", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter used to reduce result set", + "name": "filter", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Serial number associated with a physical asset.", + "name": "serial_number", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.", + "name": "checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.", + "name": "event_user", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of the virus", + "name": "virusname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Content Type only.", + "name": "content_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Group ID Number (related to the group name)", + "name": "group_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise", + "name": "policy_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Virtual System Name", + "name": "vsys", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Connection ID", + "name": "connection_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for the 2nd Linked ID. Can be either linked to \"reference.id\" or \"reference.id1\" value but should not be used unless the other two variables are in play.", + "name": "reference_id2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Name of the sensor. Typically used in IDS/IPS based devices", + "name": "sensor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID", + "name": "sig_id", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).", + "name": "port_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Rule group name", + "name": "rule_group", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a Numeric Risk value", + "name": "risk_num", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures the Value of the trigger or threshold condition.", + "name": "trigger_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a Linked (Related) Session ID from the session directly", + "name": "log_session_id1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Version level of a sub-component of a product.", + "name": "comp_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Version level of a signature or database content.", + "name": "content_version", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture unique identifier for a device or system (NOT a Mac address)", + "name": "hardware_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the non-numeric risk value", + "name": "risk", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "reason", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the mailbox id/name", + "name": "mail_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Unique Identifier for a rule.", + "name": "rule_uid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Description of the trigger or threshold condition.", + "name": "trigger_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "inout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "data_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgIdPart4", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures All non successful Error codes or responses", + "name": "error", + "overwrite": true, + "type": "keyword" + }, + { + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture listname or listnumber, primarily for collecting access-list", + "name": "listnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ntype", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Value observed (from the perspective of the device generating the log).", + "name": "observed_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the contents of the policy. This contains details about the policy", + "name": "policy_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the name of a resource pool", + "name": "pool_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template", + "name": "rule_template", + "overwrite": true, + "type": "keyword" + }, + { + "name": "count", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigcat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Comment information provided in the log message", + "name": "comments", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures File Identification number", + "name": "doc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the Value expected (from the perspective of the device generating the log).", + "name": "expected_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Job Number", + "name": "job_num", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Destination SPI Index", + "name": "spi_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Source SPI Index", + "name": "spi_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "code", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture agent id", + "name": "agent_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the The contents of the message body.", + "name": "message_body", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures a string object of the sigid variable.", + "name": "sig_id_str", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cmd", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the CPU time used in the execution of the event being recorded.", + "name": "cpu", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture a description of an event available directly or inferred", + "name": "event_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id", + "name": "sig_id1", + "overwrite": true, + "type": "long" + }, + { + "name": "im_buddyid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_client", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "priority", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to be used in an audit context where the subject is the object being identified", + "name": "context_subject", + "overwrite": true, + "type": "keyword" + }, + { + "name": "context_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.", + "name": "cve", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Filter Category Number. Legacy Usage", + "name": "fcatnum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture library information in mainframe devices", + "name": "library", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Parent Node Name. Must be related to node variable.", + "name": "parent_node", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_info", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is captures the TCP flags set in any packet of session", + "name": "tcp_flags", + "overwrite": true, + "type": "long" + }, + { + "description": "This key describes the type of service", + "name": "tos", + "overwrite": true, + "type": "long" + }, + { + "description": "VMWare Target **VMWARE** only varaible.", + "name": "vm_target", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Workspace Description", + "name": "workspace", + "overwrite": true, + "type": "keyword" + }, + { + "name": "command", + "overwrite": true, + "type": "keyword" + }, + { + "name": "event_category", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facilityname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "forensic_info", + "overwrite": true, + "type": "keyword" + }, + { + "name": "jobname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policy_waiver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "second", + "overwrite": true, + "type": "keyword" + }, + { + "name": "space1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "subcategory", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "alert_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the the target entity such as a process or file.", + "name": "checksum_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the checksum or hash of the source entity such as a file or process.", + "name": "checksum_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Filter Result", + "name": "fresult", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture destination payload", + "name": "payload_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source payload", + "name": "payload_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the identifier (typically numeric field) of a resource pool", + "name": "pool_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a failure key for Process ID when it is not an integer value", + "name": "process_id_val", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Risk Number Community", + "name": "risk_num_comm", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number NextGen", + "name": "risk_num_next", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number SandBox", + "name": "risk_num_sand", + "overwrite": true, + "type": "double" + }, + { + "description": "This key captures Risk Number Static", + "name": "risk_num_static", + "overwrite": true, + "type": "double" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_suspicious", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)", + "name": "risk_warning", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP Object Identifier", + "name": "snmp_oid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL query", + "name": "sql", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Vulnerability Reference details", + "name": "vuln_ref", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_op", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_pos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "acl_table", + "overwrite": true, + "type": "keyword" + }, + { + "name": "admin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarm_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alarmname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "app_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "audit_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "auditdata", + "overwrite": true, + "type": "keyword" + }, + { + "name": "benchmark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "bypass", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cache_hit", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cefversion", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_attr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_obj", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cfg_path", + "overwrite": true, + "type": "keyword" + }, + { + "name": "changes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "client_ip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "clustermembers", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_acttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_bgpv4nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ctr_dst_code", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_dst_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_engine_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_f_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampintv", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_flowsampmode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inacttimeout", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermbyts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_inpermpckts", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_invalid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ip_proto_ver", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_ipv4_ident", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_l_switch", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_did", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_log_rid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_max_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_maxpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_min_ttl", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_minpcktlen", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_10", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_4", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_5", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_6", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_7", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_8", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mpls_lbl_9", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mplstoplabip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_byt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_mul_dst_pks", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_muligmptype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampalgo", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sampint", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_seqctr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_spackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_tos", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_src_vlan", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_sysuptime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_template_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totbytsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totflowexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_totpcktsexp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_unixnanosecs", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6flowlabel", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_v6optheaders", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_rbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "comp_sbytes", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cpu_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "criticality", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_agency_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_analyzedby", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_other", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_primary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_av_secondary", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bgpv6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_bit9status", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_context", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_control", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_datecret", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_dst_tld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_dst_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_eth_src_ven", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_event_uuid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_filetype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_desc", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_if_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ip_next_hop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4dstpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_ipv4srcpre", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_lifetime", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_log_medium", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_loginname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulescore", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_modulesign", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_opswatresult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_payload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrant", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_registrar", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_represult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sampler_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_sourcemodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_streams", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_targetmodule", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_v6nxthop", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_whois_server", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cs_yararesult", + "overwrite": true, + "type": "keyword" + }, + { + "name": "description", + "overwrite": true, + "type": "keyword" + }, + { + "name": "devvendor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "distance", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dstburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "edomaub", + "overwrite": true, + "type": "keyword" + }, + { + "name": "euid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "facility", + "overwrite": true, + "type": "keyword" + }, + { + "name": "finterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "flags", + "overwrite": true, + "type": "keyword" + }, + { + "name": "gaddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "id3", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_buddyname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_croomtype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_members", + "overwrite": true, + "type": "keyword" + }, + { + "name": "im_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipscat", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ipspri", + "overwrite": true, + "type": "keyword" + }, + { + "name": "latitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linenum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "list_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "load_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_floor", + "overwrite": true, + "type": "keyword" + }, + { + "name": "location_mark", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "log_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logip", + "overwrite": true, + "type": "keyword" + }, + { + "name": "logname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "longitude", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "mbug_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "misc_name", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msg_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "msgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "netsessid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "number2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "nwwn", + "overwrite": true, + "type": "keyword" + }, + { + "name": "object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "operation", + "overwrite": true, + "type": "keyword" + }, + { + "name": "opkt", + "overwrite": true, + "type": "keyword" + }, + { + "name": "orig_from", + "overwrite": true, + "type": "keyword" + }, + { + "name": "owner_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_action", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_filter", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_group_object", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_msgid2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_result1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_chg", + "overwrite": true, + "type": "keyword" + }, + { + "name": "password_expire", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permgranted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "permwanted", + "overwrite": true, + "type": "keyword" + }, + { + "name": "pgid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "policyUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "prog_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "program", + "overwrite": true, + "type": "keyword" + }, + { + "name": "real_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_device", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_asp_num", + "overwrite": true, + "type": "keyword" + }, + { + "name": "rec_library", + "overwrite": true, + "type": "keyword" + }, + { + "name": "recordnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "ruid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sdomain_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sec", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sensorname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "seqnum", + "overwrite": true, + "type": "keyword" + }, + { + "name": "session", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sessiontype", + "overwrite": true, + "type": "keyword" + }, + { + "name": "sigUUID", + "overwrite": true, + "type": "keyword" + }, + { + "name": "spi", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcburb", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "srcservice", + "overwrite": true, + "type": "keyword" + }, + { + "name": "state", + "overwrite": true, + "type": "keyword" + }, + { + "name": "status1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "svcno", + "overwrite": true, + "type": "keyword" + }, + { + "name": "system", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tbdstr1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdom", + "overwrite": true, + "type": "keyword" + }, + { + "name": "tgtdomain", + "overwrite": true, + "type": "keyword" + }, + { + "name": "threshold", + "overwrite": true, + "type": "keyword" + }, + { + "name": "type1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "udb_class", + "overwrite": true, + "type": "keyword" + }, + { + "name": "url_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "user_div", + "overwrite": true, + "type": "keyword" + }, + { + "name": "userid", + "overwrite": true, + "type": "keyword" + }, + { + "name": "username_fld", + "overwrite": true, + "type": "keyword" + }, + { + "name": "utcstamp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "v_instafname", + "overwrite": true, + "type": "keyword" + }, + { + "name": "virt_data", + "overwrite": true, + "type": "keyword" + }, + { + "name": "vpnid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Auto Run type", + "name": "autorun_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Valid Credit Card Numbers only", + "name": "cc_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the content type from protocol headers", + "name": "content", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Employee Identification Numbers only", + "name": "ein_number", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the results of regex match", + "name": "found", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture list of languages the client support and what it prefers", + "name": "language", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the session lifetime in seconds.", + "name": "lifetime", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness", + "name": "link", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for regex match name from search.ini", + "name": "match", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the command line/launch argument of the target process or file", + "name": "param_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures source parameter", + "name": "param_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Search Text used", + "name": "search_text", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Signature Name only.", + "name": "sig_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "SNMP set request value", + "name": "snmp_value", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures number of streams in session", + "name": "streams", + "overwrite": true, + "type": "long" + } + ], + "name": "misc", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures IndexID of the index.", + "name": "index", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the database server instance name", + "name": "instance", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the name of a database or an instance as seen in a session", + "name": "database", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the SQL transantion ID of the current session", + "name": "transact_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures permission or privilege level assigned to a resource.", + "name": "permissions", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the table name", + "name": "table_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the unique identifier for a database", + "name": "db_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the process id of a connection with database server", + "name": "db_pid", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical reads", + "name": "lread", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of logical writes", + "name": "lwrite", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for the number of physical writes", + "name": "pread", + "overwrite": true, + "type": "long" + } + ], + "name": "db", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.", + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Hostname", + "name": "host_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture layer 7 protocols/service names", + "name": "network_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of an interface is not clear", + "name": "interface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)", + "name": "network_port", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use alias.mac", + "name": "eth_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Source Interface", + "name": "sinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Interface", + "name": "dinterface", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the ID of the Virtual LAN", + "name": "vlan", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should only be used when it\u2019s a Source Zone.", + "name": "zone_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should be used when the source or destination context of a Zone is not clear", + "name": "zone", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used when it\u2019s a Destination Zone.", + "name": "zone_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the IP Address of the gateway", + "name": "gateway", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP type only", + "name": "icmp_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used to capture the device network IPmask.", + "name": "mask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the ICMP code only", + "name": "icmp_code", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture additional protocol information", + "name": "protocol_detail", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for Destionation Device network mask", + "name": "dmask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture a Network Port when the directionality is not clear", + "name": "port", + "overwrite": true, + "type": "long" + }, + { + "description": "This key is used for capturing source Network Mask", + "name": "smask", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the network name associated with an IP range. This is configured by the end user.", + "name": "netname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated", + "name": "paddr", + "overwrite": true, + "type": "ip" + }, + { + "name": "faddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "lhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "origin", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "addr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_a_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_ptr_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fhost", + "overwrite": true, + "type": "keyword" + }, + { + "name": "fport", + "overwrite": true, + "type": "keyword" + }, + { + "name": "laddr", + "overwrite": true, + "type": "keyword" + }, + { + "name": "linterface", + "overwrite": true, + "type": "keyword" + }, + { + "name": "phost", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use host.dst", + "name": "ad_computer_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only", + "name": "eth_type", + "overwrite": true, + "type": "long" + }, + { + "description": "This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI", + "name": "ip_proto", + "overwrite": true, + "type": "long" + }, + { + "name": "dns_cname_record", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_id", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_opcode", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_resp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "dns_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "domain1", + "overwrite": true, + "type": "keyword" + }, + { + "name": "host_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "packet_length", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.", + "name": "host_orig", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the total number of payload bytes seen in the retransmitted packets.", + "name": "rpayload", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the name of the Virtual LAN", + "name": "vlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "network", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures the particular event activity(Ex:Logoff)", + "name": "ec_activity", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Theme of a particular Event(Ex:Authentication)", + "name": "ec_theme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Subject of a particular Event(Ex:User)", + "name": "ec_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the outcome of a particular Event(Ex:Success)", + "name": "ec_outcome", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Event category number", + "name": "event_cat", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures the event category name corresponding to the event cat code", + "name": "event_cat_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.", + "name": "event_vcat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file", + "name": "analysis_file", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service", + "name": "analysis_service", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session", + "name": "analysis_session", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture behaviour of compromise", + "name": "boc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture Enablers of Compromise", + "name": "eoc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation category", + "name": "inv_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This used to capture investigation context", + "name": "inv_context", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is key capture indicator of compromise", + "name": "ioc", + "overwrite": true, + "type": "keyword" + } + ], + "name": "investigations", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is a generic counter key that should be used with the label dclass.c1.str only", + "name": "dclass_c1", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c2.str only", + "name": "dclass_c2", + "overwrite": true, + "type": "long" + }, + { + "description": "This is used to capture the number of times an event repeated", + "name": "event_counter", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r1.str only", + "name": "dclass_r1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter key that should be used with the label dclass.c3.str only", + "name": "dclass_c3", + "overwrite": true, + "type": "long" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c1 only", + "name": "dclass_c1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c2 only", + "name": "dclass_c2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r1 only", + "name": "dclass_r1_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r2.str only", + "name": "dclass_r2", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic counter string key that should be used with the label dclass.c3 only", + "name": "dclass_c3_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio key that should be used with the label dclass.r3.str only", + "name": "dclass_r3", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r2 only", + "name": "dclass_r2_str", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is a generic ratio string key that should be used with the label dclass.r3 only", + "name": "dclass_r3_str", + "overwrite": true, + "type": "keyword" + } + ], + "name": "counters", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture authentication methods used only", + "name": "auth_method", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Role of a user only", + "name": "user_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "X.500 (LDAP) Distinguished Name", + "name": "dn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the type of logon method used.", + "name": "logon_type", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the user profile", + "name": "profile", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture actual privileges used in accessing an object", + "name": "accesses", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Radius realm or similar grouping of accounts", + "name": "realm", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination User Session ID", + "name": "user_sid_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn", + "name": "dn_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the User organization", + "name": "org", + "overwrite": true, + "type": "keyword" + }, + { + "description": "An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn", + "name": "dn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "firstname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "lastname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "User's Department Names only", + "name": "user_dept", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source User Session ID", + "name": "user_sid_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Federated Service Provider. This is the application requesting authentication.", + "name": "federated_sp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the federated Identity Provider. This is the server providing the authentication.", + "name": "federated_idp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.", + "name": "logon_type_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "middlename", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Passwords seen in any session, plain text or encrypted", + "name": "password", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key should only be used to capture the role of a Host Machine", + "name": "host_role", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019t have a clear query or response context", + "name": "ldap", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is the Search criteria from an LDAP search", + "name": "ldap_query", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is to capture Results from an LDAP search", + "name": "ldap_response", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture username the process or service is running as, the author of the task", + "name": "owner", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage", + "name": "service_account", + "overwrite": true, + "type": "keyword" + } + ], + "name": "identity", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Destination email address only, when the destination context is not clear use email", + "name": "email_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the source email address only, when the source context is not clear use email", + "name": "email_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the subject string from an Email only.", + "name": "subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture a generic email address where the source or destination context is not clear", + "name": "email", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_from", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "trans_to", + "overwrite": true, + "type": "keyword" + } + ], + "name": "email", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Deprecated, use permissions", + "name": "privilege", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the attachment file name", + "name": "attachment", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filesystem", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "binary", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the file targeted by the action", + "name": "filename_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the parent filename, the file which performed the action", + "name": "filename_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "filename_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the target process or file", + "name": "directory_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the directory of the source process or file", + "name": "directory_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture entropy vale of a file", + "name": "file_entropy", + "overwrite": true, + "type": "double" + }, + { + "description": "This is used to capture Company name of file located in version_info", + "name": "file_vendor", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture name of the task", + "name": "task_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "file", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "Fully Qualified Domain Names", + "name": "fqdn", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Web cookies specifically.", + "name": "web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "alias_host", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Reputation Number of an entity. Typically used for Web Domains", + "name": "reputation_num", + "overwrite": true, + "type": "double" + }, + { + "description": "Web referer's domain", + "name": "web_ref_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's query portion of the URL", + "name": "web_ref_query", + "overwrite": true, + "type": "keyword" + }, + { + "name": "remote_domain", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Web referer's page information", + "name": "web_ref_page", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Web referer's root URL path", + "name": "web_ref_root", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_asn_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cn_rpackets", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlpage", + "overwrite": true, + "type": "keyword" + }, + { + "name": "urlroot", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_url", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_user_agent", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_cookie", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_method", + "overwrite": true, + "type": "keyword" + }, + { + "name": "p_web_referer", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_extension_tmp", + "overwrite": true, + "type": "keyword" + }, + { + "name": "web_page", + "overwrite": true, + "type": "keyword" + } + ], + "name": "web", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key captures Threat Name/Threat Category/Categorization of alert", + "name": "threat_category", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the threat description from the session directly or inferred", + "name": "threat_desc", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture name of the alert", + "name": "alert", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture source of the threat", + "name": "threat_source", + "overwrite": true, + "type": "keyword" + } + ], + "name": "threat", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the Encryption Type or Encryption Key only", + "name": "crypto", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Source (Client) Cipher", + "name": "cipher_src", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate organization only", + "name": "cert_subject", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer's IP Address", + "name": "peer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Source (Client) Cipher Size", + "name": "cipher_size_src", + "overwrite": true, + "type": "long" + }, + { + "description": "IKE negotiation phase.", + "name": "ike", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Encryption scheme used", + "name": "scheme", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Encryption peer\u2019s identity", + "name": "peer_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Signature Type", + "name": "sig_type", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_issuer", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated key defined only in table map.", + "name": "cert_host_name", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the Certificate Error String", + "name": "cert_error", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Destination (Server) Cipher", + "name": "cipher_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Destination (Server) Cipher Size", + "name": "cipher_size_dst", + "overwrite": true, + "type": "long" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_src", + "overwrite": true, + "type": "keyword" + }, + { + "name": "d_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "name": "s_certauth", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase One", + "name": "ike_cookie1", + "overwrite": true, + "type": "keyword" + }, + { + "description": "ID of the negotiation \u2014 sent for ISAKMP Phase Two", + "name": "ike_cookie2", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_checksum", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used for the hostname category value of a certificate", + "name": "cert_host_cat", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate serial number only", + "name": "cert_serial", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures Certificate validation status", + "name": "cert_status", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Deprecated, use version", + "name": "ssl_ver_dst", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_keysize", + "overwrite": true, + "type": "keyword" + }, + { + "name": "cert_username", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_insact", + "overwrite": true, + "type": "keyword" + }, + { + "name": "https_valid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate signing authority only", + "name": "cert_ca", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the Certificate common name only", + "name": "cert_common", + "overwrite": true, + "type": "keyword" + } + ], + "name": "crypto", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the ssid of a Wireless Session", + "name": "wlan_ssid", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is used to capture the access point name.", + "name": "access_point", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the channel names", + "name": "wlan_channel", + "overwrite": true, + "type": "long" + }, + { + "description": "This key captures either WLAN number/name", + "name": "wlan_name", + "overwrite": true, + "type": "keyword" + } + ], + "name": "wireless", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "A unique name assigned to logical units (volumes) within a physical disk", + "name": "disk_volume", + "overwrite": true, + "type": "keyword" + }, + { + "description": "Logical Unit Number.This key is a very useful concept in Storage.", + "name": "lun", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This uniquely identifies a port on a HBA.", + "name": "pwwn", + "overwrite": true, + "type": "keyword" + } + ], + "name": "storage", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This is used to capture the destination organization based on the GEOPIP Maxmind database.", + "name": "org_dst", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This is used to capture the source organization based on the GEOPIP Maxmind database.", + "name": "org_src", + "overwrite": true, + "type": "keyword" + } + ], + "name": "physical", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is for First Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_fname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the unique ID for a patient", + "name": "patient_id", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_lname", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information", + "name": "patient_mname", + "overwrite": true, + "type": "keyword" + } + ], + "name": "healthcare", + "overwrite": true, + "type": "group" + }, + { + "fields": [ + { + "description": "This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on", + "name": "host_state", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures the path to the registry key", + "name": "registry_key", + "overwrite": true, + "type": "keyword" + }, + { + "description": "This key captures values or decorators used within a registry entry", + "name": "registry_value", + "overwrite": true, + "type": "keyword" + } + ], + "name": "endpoint", + "overwrite": true, + "type": "group" + } + ], + "name": "rsa", + "overwrite": true, + "type": "group" + } + ] + } + } + } + } + } + } + } + }, + "processors": { + "folders": { + "decode_cef": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Common Event Format (CEF) data.\n", + "fields": [ + { + "description": "By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data.\n", + "fields": [ + { + "description": "Version of the CEF specification used by the message.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Vendor of the device that produced the message.\n", + "name": "device.vendor", + "type": "keyword" + }, + { + "description": "Product of the device that produced the message.\n", + "name": "device.product", + "type": "keyword" + }, + { + "description": "Version of the product that produced the message.\n", + "name": "device.version", + "type": "keyword" + }, + { + "description": "Unique identifier of the event type.\n", + "name": "device.event_class_id", + "type": "keyword" + }, + { + "description": "Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.\n", + "example": "Very-High", + "name": "severity", + "type": "keyword" + }, + { + "description": "Short description of the event.\n", + "name": "name", + "type": "keyword" + }, + { + "default_field": false, + "description": "Collection of key-value pairs carried in the CEF extension field.\n", + "fields": [ + { + "description": "The IP address of the ArcSight connector that processed the event.", + "name": "agentAddress", + "type": "ip" + }, + { + "description": "The DNS domain name of the ArcSight connector that processed the event.", + "name": "agentDnsDomain", + "type": "keyword" + }, + { + "description": "The hostname of the ArcSight connector that processed the event.", + "name": "agentHostName", + "type": "keyword" + }, + { + "description": "The agent ID of the ArcSight connector that processed the event.", + "name": "agentId", + "type": "keyword" + }, + { + "description": "The MAC address of the ArcSight connector that processed the event.", + "name": "agentMacAddress", + "type": "keyword" + }, + { + "description": null, + "name": "agentNtDomain", + "type": "keyword" + }, + { + "description": "The time at which information about the event was received by the ArcSight connector.", + "name": "agentReceiptTime", + "type": "date" + }, + { + "description": "The agent time zone of the ArcSight connector that processed the event.", + "name": "agentTimeZone", + "type": "keyword" + }, + { + "description": null, + "name": "agentTranslatedAddress", + "type": "ip" + }, + { + "description": null, + "name": "agentTranslatedZoneExternalID", + "type": "keyword" + }, + { + "description": null, + "name": "agentTranslatedZoneURI", + "type": "keyword" + }, + { + "description": "The agent type of the ArcSight connector that processed the event", + "name": "agentType", + "type": "keyword" + }, + { + "description": "The version of the ArcSight connector that processed the event.", + "name": "agentVersion", + "type": "keyword" + }, + { + "description": null, + "name": "agentZoneExternalID", + "type": "keyword" + }, + { + "description": null, + "name": "agentZoneURI", + "type": "keyword" + }, + { + "description": "Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.", + "name": "applicationProtocol", + "type": "keyword" + }, + { + "description": "A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.", + "name": "baseEventCount", + "type": "long" + }, + { + "description": "Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.", + "name": "bytesIn", + "type": "long" + }, + { + "description": "Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.", + "name": "bytesOut", + "type": "long" + }, + { + "description": null, + "name": "customerExternalID", + "type": "keyword" + }, + { + "description": null, + "name": "customerURI", + "type": "keyword" + }, + { + "description": "Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.", + "name": "destinationAddress", + "type": "ip" + }, + { + "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", + "name": "destinationDnsDomain", + "type": "keyword" + }, + { + "description": "The latitudinal value from which the destination's IP address belongs.", + "name": "destinationGeoLatitude", + "type": "double" + }, + { + "description": "The longitudinal value from which the destination's IP address belongs.", + "name": "destinationGeoLongitude", + "type": "double" + }, + { + "description": "Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.", + "name": "destinationHostName", + "type": "keyword" + }, + { + "description": "Six colon-seperated hexadecimal numbers.", + "name": "destinationMacAddress", + "type": "keyword" + }, + { + "description": "The Windows domain name of the destination address.", + "name": "destinationNtDomain", + "type": "keyword" + }, + { + "description": "The valid port numbers are between 0 and 65535.", + "name": "destinationPort", + "type": "long" + }, + { + "description": "Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, \"105\" is the process ID.", + "name": "destinationProcessId", + "type": "long" + }, + { + "description": "The name of the event's destination process.", + "name": "destinationProcessName", + "type": "keyword" + }, + { + "description": "The service targeted by this event.", + "name": "destinationServiceName", + "type": "keyword" + }, + { + "description": "Identifies the translated destination that the event refers to in an IP network.", + "name": "destinationTranslatedAddress", + "type": "ip" + }, + { + "description": "Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.", + "name": "destinationTranslatedPort", + "type": "long" + }, + { + "description": null, + "name": "destinationTranslatedZoneExternalID", + "type": "keyword" + }, + { + "description": "The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.", + "name": "destinationTranslatedZoneURI", + "type": "keyword" + }, + { + "description": "Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.", + "name": "destinationUserId", + "type": "keyword" + }, + { + "description": "Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.", + "name": "destinationUserName", + "type": "keyword" + }, + { + "description": "The typical values are \"Administrator\", \"User\", and \"Guest\". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of \"Administrator\".", + "name": "destinationUserPrivileges", + "type": "keyword" + }, + { + "description": null, + "name": "destinationZoneExternalID", + "type": "keyword" + }, + { + "description": "The URI for the Zone that the destination asset has been assigned to in ArcSight.", + "name": "destinationZoneURI", + "type": "keyword" + }, + { + "description": "Action taken by the device.", + "name": "deviceAction", + "type": "keyword" + }, + { + "description": "Identifies the device address that an event refers to in an IP network.", + "name": "deviceAddress", + "type": "ip" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomFloatingPoint1Label", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomFloatingPoint3Label", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomFloatingPoint4Label", + "type": "keyword" + }, + { + "description": "One of two timestamp fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomDate1", + "type": "date" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomDate1Label", + "type": "keyword" + }, + { + "description": "One of two timestamp fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomDate2", + "type": "date" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomDate2Label", + "type": "keyword" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomFloatingPoint1", + "type": "double" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomFloatingPoint2", + "type": "double" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomFloatingPoint2Label", + "type": "keyword" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomFloatingPoint3", + "type": "double" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomFloatingPoint4", + "type": "double" + }, + { + "description": "One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomIPv6Address1", + "type": "ip" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomIPv6Address1Label", + "type": "keyword" + }, + { + "description": "One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomIPv6Address2", + "type": "ip" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomIPv6Address2Label", + "type": "keyword" + }, + { + "description": "One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomIPv6Address3", + "type": "ip" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomIPv6Address3Label", + "type": "keyword" + }, + { + "description": "One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.", + "name": "deviceCustomIPv6Address4", + "type": "ip" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomIPv6Address4Label", + "type": "keyword" + }, + { + "description": "One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomNumber1", + "type": "long" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomNumber1Label", + "type": "keyword" + }, + { + "description": "One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomNumber2", + "type": "long" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomNumber2Label", + "type": "keyword" + }, + { + "description": "One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomNumber3", + "type": "long" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomNumber3Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString1", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString1Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString2", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString2Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString3", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString3Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString4", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString4Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString5", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString5Label", + "type": "keyword" + }, + { + "description": "One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceCustomString6", + "type": "keyword" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceCustomString6Label", + "type": "keyword" + }, + { + "description": "Any information about what direction the observed communication has taken. The following values are supported - \"0\" for inbound or \"1\" for outbound.", + "name": "deviceDirection", + "type": "long" + }, + { + "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", + "name": "deviceDnsDomain", + "type": "keyword" + }, + { + "description": "Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example \"/Monitor/Disk/Read\".", + "name": "deviceEventCategory", + "type": "keyword" + }, + { + "description": "A name that uniquely identifies the device generating this event.", + "name": "deviceExternalId", + "type": "keyword" + }, + { + "description": "The facility generating this event. For example, Syslog has an explicit facility associated with every event.", + "name": "deviceFacility", + "type": "keyword" + }, + { + "description": "One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceFlexNumber1", + "type": "long" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceFlexNumber1Label", + "type": "keyword" + }, + { + "description": "One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.", + "name": "deviceFlexNumber2", + "type": "long" + }, + { + "description": "All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.", + "name": "deviceFlexNumber2Label", + "type": "keyword" + }, + { + "description": "The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.", + "name": "deviceHostName", + "type": "keyword" + }, + { + "description": "Interface on which the packet or data entered the device.", + "name": "deviceInboundInterface", + "type": "keyword" + }, + { + "description": "Six colon-separated hexadecimal numbers.", + "name": "deviceMacAddress", + "type": "keyword" + }, + { + "description": "The Windows domain name of the device address.", + "name": "deviceNtDomain", + "type": "keyword" + }, + { + "description": "Interface on which the packet or data left the device.", + "name": "deviceOutboundInterface", + "type": "keyword" + }, + { + "description": "Unique identifier for the payload associated with the event.", + "name": "devicePayloadId", + "type": "keyword" + }, + { + "description": "Provides the ID of the process on the device generating the event.", + "name": "deviceProcessId", + "type": "long" + }, + { + "description": "Process name associated with the event. An example might be the process generating the syslog entry in UNIX.", + "name": "deviceProcessName", + "type": "keyword" + }, + { + "description": "The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)", + "name": "deviceReceiptTime", + "type": "date" + }, + { + "description": "The time zone for the device generating the event.", + "name": "deviceTimeZone", + "type": "keyword" + }, + { + "description": "Identifies the translated device address that the event refers to in an IP network.", + "name": "deviceTranslatedAddress", + "type": "ip" + }, + { + "description": null, + "name": "deviceTranslatedZoneExternalID", + "type": "keyword" + }, + { + "description": "The URI for the Translated Zone that the device asset has been assigned to in ArcSight.", + "name": "deviceTranslatedZoneURI", + "type": "keyword" + }, + { + "description": null, + "name": "deviceZoneExternalID", + "type": "keyword" + }, + { + "description": "Thee URI for the Zone that the device asset has been assigned to in ArcSight.", + "name": "deviceZoneURI", + "type": "keyword" + }, + { + "description": "The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.", + "name": "endTime", + "type": "date" + }, + { + "description": "This is a unique ID that ArcSight assigns to each event.", + "name": "eventId", + "type": "long" + }, + { + "description": "Displays the outcome, usually as 'success' or 'failure'.", + "name": "eventOutcome", + "type": "keyword" + }, + { + "description": "The ID used by an originating device. They are usually increasing numbers, associated with events.", + "name": "externalId", + "type": "keyword" + }, + { + "description": "Time when the file was created.", + "name": "fileCreateTime", + "type": "date" + }, + { + "description": "Hash of a file.", + "name": "fileHash", + "type": "keyword" + }, + { + "description": "An ID associated with a file could be the inode.", + "name": "fileId", + "type": "keyword" + }, + { + "description": "Time when the file was last modified.", + "name": "fileModificationTime", + "type": "date" + }, + { + "description": "Name of the file only (without its path).", + "name": "filename", + "type": "keyword" + }, + { + "description": "Full path to the file, including file name itself.", + "name": "filePath", + "type": "keyword" + }, + { + "description": "Permissions of the file.", + "name": "filePermission", + "type": "keyword" + }, + { + "description": "Size of the file.", + "name": "fileSize", + "type": "long" + }, + { + "description": "Type of file (pipe, socket, etc.)", + "name": "fileType", + "type": "keyword" + }, + { + "description": "A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", + "name": "flexDate1", + "type": "date" + }, + { + "description": "The label field is a string and describes the purpose of the flex field.", + "name": "flexDate1Label", + "type": "keyword" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", + "name": "flexString1", + "type": "keyword" + }, + { + "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.", + "name": "flexString2", + "type": "keyword" + }, + { + "description": "The label field is a string and describes the purpose of the flex field.", + "name": "flexString1Label", + "type": "keyword" + }, + { + "description": "The label field is a string and describes the purpose of the flex field.", + "name": "flexString2Label", + "type": "keyword" + }, + { + "description": "An arbitrary message giving more details about the event. Multi-line entries can be produced by using \\n as the new line separator.", + "name": "message", + "type": "keyword" + }, + { + "description": "Time when old file was created.", + "name": "oldFileCreateTime", + "type": "date" + }, + { + "description": "Hash of the old file.", + "name": "oldFileHash", + "type": "keyword" + }, + { + "description": "An ID associated with the old file could be the inode.", + "name": "oldFileId", + "type": "keyword" + }, + { + "description": "Time when old file was last modified.", + "name": "oldFileModificationTime", + "type": "date" + }, + { + "description": "Name of the old file.", + "name": "oldFileName", + "type": "keyword" + }, + { + "description": "Full path to the old file, including the file name itself.", + "name": "oldFilePath", + "type": "keyword" + }, + { + "description": "Permissions of the old file.", + "name": "oldFilePermission", + "type": "keyword" + }, + { + "description": "Size of the old file.", + "name": "oldFileSize", + "type": "long" + }, + { + "description": "Type of the old file (pipe, socket, etc.)", + "name": "oldFileType", + "type": "keyword" + }, + { + "description": null, + "name": "rawEvent", + "type": "keyword" + }, + { + "description": "The reason an audit event was generated. For example \"bad password\" or \"unknown user\". This could also be an error or return code. Example \"0x1234\".", + "name": "Reason", + "type": "keyword" + }, + { + "description": "The User-Agent associated with the request.", + "name": "requestClientApplication", + "type": "keyword" + }, + { + "description": "Description of the content from which the request originated (for example, HTTP Referrer)", + "name": "requestContext", + "type": "keyword" + }, + { + "description": "Cookies associated with the request.", + "name": "requestCookies", + "type": "keyword" + }, + { + "description": "The HTTP method used to access a URL.", + "name": "requestMethod", + "type": "keyword" + }, + { + "description": "In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.", + "name": "requestUrl", + "type": "keyword" + }, + { + "description": "Identifies the source that an event refers to in an IP network.", + "name": "sourceAddress", + "type": "ip" + }, + { + "description": "The DNS domain part of the complete fully qualified domain name (FQDN).", + "name": "sourceDnsDomain", + "type": "keyword" + }, + { + "description": null, + "name": "sourceGeoLatitude", + "type": "double" + }, + { + "description": null, + "name": "sourceGeoLongitude", + "type": "double" + }, + { + "description": "Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'.\n", + "name": "sourceHostName", + "type": "keyword" + }, + { + "description": "Six colon-separated hexadecimal numbers.", + "example": "00:0d:60:af:1b:61", + "name": "sourceMacAddress", + "type": "keyword" + }, + { + "description": "The Windows domain name for the source address.", + "name": "sourceNtDomain", + "type": "keyword" + }, + { + "description": "The valid port numbers are 0 to 65535.", + "name": "sourcePort", + "type": "long" + }, + { + "description": "The ID of the source process associated with the event.", + "name": "sourceProcessId", + "type": "long" + }, + { + "description": "The name of the event's source process.", + "name": "sourceProcessName", + "type": "keyword" + }, + { + "description": "The service that is responsible for generating this event.", + "name": "sourceServiceName", + "type": "keyword" + }, + { + "description": "Identifies the translated source that the event refers to in an IP network.", + "name": "sourceTranslatedAddress", + "type": "ip" + }, + { + "description": "A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.", + "name": "sourceTranslatedPort", + "type": "long" + }, + { + "description": null, + "name": "sourceTranslatedZoneExternalID", + "type": "keyword" + }, + { + "description": "The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.", + "name": "sourceTranslatedZoneURI", + "type": "keyword" + }, + { + "description": "Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.", + "name": "sourceUserId", + "type": "keyword" + }, + { + "description": "Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.", + "name": "sourceUserName", + "type": "keyword" + }, + { + "description": "The typical values are \"Administrator\", \"User\", and \"Guest\". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with \"Administrator\".", + "name": "sourceUserPrivileges", + "type": "keyword" + }, + { + "description": null, + "name": "sourceZoneExternalID", + "type": "keyword" + }, + { + "description": "The URI for the Zone that the source asset has been assigned to in ArcSight.", + "name": "sourceZoneURI", + "type": "keyword" + }, + { + "description": "The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)", + "name": "startTime", + "type": "date" + }, + { + "description": "Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.", + "name": "transportProtocol", + "type": "keyword" + }, + { + "description": "0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).", + "name": "type", + "type": "long" + }, + { + "description": "Device type. Examples - Proxy, IDS, Web Server", + "name": "categoryDeviceType", + "type": "keyword" + }, + { + "description": "Object that the event is about. For example it can be an operating sytem, database, file, etc.", + "name": "categoryObject", + "type": "keyword" + }, + { + "description": "Action or a behavior associated with an event. It's what is being done to the object.", + "name": "categoryBehavior", + "type": "keyword" + }, + { + "description": "Technique being used (e.g. /DoS).", + "name": "categoryTechnique", + "type": "keyword" + }, + { + "description": "General device group like Firewall.", + "name": "categoryDeviceGroup", + "type": "keyword" + }, + { + "description": "Characterization of the importance of the event.", + "name": "categorySignificance", + "type": "keyword" + }, + { + "description": "Outcome of the event (e.g. sucess, failure, or attempt).", + "name": "categoryOutcome", + "type": "keyword" + }, + { + "description": "When the Arcsight ESM received the event.", + "name": "managerReceiptTime", + "type": "date" + } + ], + "name": "extensions", + "type": "group" + } + ], + "name": "cef", + "type": "group" + }, + { + "description": "Service that is the source of the event.", + "name": "source.service.name", + "type": "keyword" + }, + { + "description": "Service that is the target of the event.", + "name": "destination.service.name", + "type": "keyword" + } + ], + "key": "cef", + "title": "Decode CEF processor fields" + } + ] + } + } + } + } + } + }, + "scripts": { + "folders": { + "fileset": { + "files": { + "fields.yml": [ + { + "description": "{fileset}\n", + "fields": [ + { + "description": "Example field\n", + "name": "example", + "type": "keyword" + } + ], + "name": { + "fileset": null + }, + "type": "group" + } + ] + }, + "folders": { + "config": { + "files": { + "config.yml": [ + { + "description": "Contains fields for the Traefik access logs.\n", + "fields": [ + { + "description": "Is the RFC 1413 identity of the client\n", + "name": "user_identifier", + "type": "keyword" + }, + { + "description": "The number of requests\n", + "name": "request_count", + "type": "long" + }, + { + "description": "The name of the frontend used\n", + "name": "frontend_name", + "type": "keyword" + }, + { + "description": "The url of the backend where request is forwarded", + "name": "backend_url", + "type": "keyword" + }, + { + "migration": true, + "name": "body_sent.bytes", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "remote_ip", + "path": "source.address", + "type": "alias" + }, + { + "migration": true, + "name": "user_name", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "method", + "path": "http.request.method", + "type": "alias" + }, + { + "migration": true, + "name": "url", + "path": "url.original", + "type": "alias" + }, + { + "migration": true, + "name": "http_version", + "path": "http.version", + "type": "alias" + }, + { + "migration": true, + "name": "response_code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "referrer", + "path": "http.request.referrer", + "type": "alias" + }, + { + "migration": true, + "name": "agent", + "path": "user_agent.original", + "type": "alias" + }, + { + "fields": [ + { + "name": "device", + "path": "user_agent.device.name", + "type": "alias" + }, + { + "name": "name", + "path": "user_agent.name", + "type": "alias" + }, + { + "name": "os", + "path": "user_agent.os.full_name", + "type": "alias" + }, + { + "name": "os_name", + "path": "user_agent.os.name", + "type": "alias" + }, + { + "name": "original", + "path": "user_agent.original", + "type": "alias" + } + ], + "name": "user_agent", + "type": "group" + }, + { + "fields": [ + { + "name": "continent_name", + "path": "source.geo.continent_name", + "type": "alias" + }, + { + "name": "country_iso_code", + "path": "source.geo.country_iso_code", + "type": "alias" + }, + { + "name": "location", + "path": "source.geo.location", + "type": "alias" + }, + { + "name": "region_name", + "path": "source.geo.region_name", + "type": "alias" + }, + { + "name": "city_name", + "path": "source.geo.city_name", + "type": "alias" + }, + { + "name": "region_iso_code", + "path": "source.geo.region_iso_code", + "type": "alias" + } + ], + "name": "geoip", + "type": "group" + } + ], + "name": "access", + "type": "group" + } + ] + } + } + } + }, + "module": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "description": "{fileset}\n", + "fields": [ + { + "description": "Example field\n", + "name": "example", + "type": "keyword" + } + ], + "name": { + "fileset": null + }, + "type": "group" + } + ], + "fields.yml": [ + { + "description": "{module} Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": { + "module": null + }, + "type": "group" + } + ], + "key": { + "module": null + }, + "title": "{module}" + } + ] + } + } + } + } + } + }, + "tests": { + "folders": { + "files": { + "files": { + "config.yml": { + "filebeat": { + "config_dir": "/prospectorConfigs/", + "idle_timeout": "5s", + "inputs": [ + { + "close_inactive": "5m", + "fields": { + "level": "debug", + "review": 1, + "type": "log" + }, + "harvester_buffer_size": 5000, + "ignore_older": 0, + "input": "log", + "paths": [ + "/var/log/app*.log", + "/var/log/s*.log" + ], + "scan_frequency": "10s", + "tail_files": false + }, + { + "fields": null, + "input": "log", + "paths": [ + "/var/log/test.log" + ] + }, + { + "fields": null, + "input": "stdin" + } + ], + "spool_size": 2048 + }, + "output": { + "elasticsearch": { + "enabled": true, + "hosts": [ + "192.168.99.100:9200" + ] + } + } + } + } + }, + "system": { + "folders": { + "input": { + "folders": { + "template-test-module": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "template-test-module", + "test": { + "enabled": true, + "var.parse_time": true + } + } + ], + "fields.yml": [ + { + "description": "template-test-module Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "template-test-module", + "type": "group" + } + ], + "key": "template-test-module", + "title": "template-test-module" + } + ] + } + } + } + } + } + } + } + } + } + } + } + }, + "functionbeat": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": null, + "fields": null, + "key": "functionbeat", + "title": "Functionbeat" + } + ] + } + } + } + }, + "heartbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": null, + "fields": [ + { + "description": "Common monitor fields.\n", + "fields": [ + { + "description": "The monitor type.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The monitors configured name\n", + "multi_fields": [ + { + "analyzer": "simple", + "name": "text", + "type": "text" + } + ], + "name": "name", + "type": "keyword" + }, + { + "description": "The monitors full job ID as used by heartbeat.\n", + "multi_fields": [ + { + "analyzer": "simple", + "name": "text", + "type": "text" + } + ], + "name": "id", + "type": "keyword" + }, + { + "description": "Total monitoring test duration", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "duration", + "type": "group" + }, + { + "description": "Address url scheme. For example `tcp`, `tls`, `http`, and `https`.\n", + "migration": true, + "name": "scheme", + "path": "url.scheme", + "type": "alias" + }, + { + "description": "Hostname of service being monitored. Can be missing, if service is monitored by IP.\n", + "migration": true, + "name": "host", + "path": "url.domain", + "type": "alias" + }, + { + "description": "IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Indicator if monitor could validate the service to be available.\n", + "name": "status", + "required": true, + "type": "keyword" + }, + { + "description": "A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry.\n", + "name": "check_group", + "type": "keyword" + }, + { + "description": "Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check.\n", + "name": "timespan", + "type": "date_range" + } + ], + "name": "monitor", + "type": "group" + } + ], + "key": "common", + "title": "Common heartbeat monitor" + }, + { + "description": null, + "fields": [ + { + "description": "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`.", + "fields": [ + { + "description": "The number of endpoints that succeeded\n", + "name": "up", + "type": "integer" + }, + { + "description": "The number of endpoints that failed\n", + "name": "down", + "type": "integer" + } + ], + "name": "summary", + "type": "group" + } + ], + "key": "summary", + "title": "Monitor summary" + }, + { + "description": null, + "fields": [ + { + "description": "Host lookup fields.\n", + "fields": [ + { + "description": "Hostname of service being monitored.\n", + "migration": true, + "name": "host", + "path": "url.domain", + "type": "alias" + }, + { + "description": "IP address found for the given host.\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Duration required to resolve an IP from hostname.", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "rtt", + "type": "group" + } + ], + "name": "resolve", + "type": "group" + } + ], + "key": "resolve", + "title": "Host lookup" + } + ] + } + }, + "monitors": { + "folders": { + "active": { + "folders": { + "dialchain": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": null, + "fields": [ + { + "description": "SOCKS5 proxy related fields:\n", + "fields": [ + { + "description": "TLS layer round trip times.\n", + "fields": [ + { + "description": "Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "connect", + "type": "group" + } + ], + "name": "rtt", + "type": "group" + } + ], + "name": "socks5", + "type": "group" + } + ], + "key": "socks5", + "title": "SOCKS5 proxy" + }, + { + "description": null, + "fields": [ + { + "description": "TLS layer related fields.\n", + "fields": [ + { + "deprecated": "7.8.0", + "description": "Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid.", + "name": "certificate_not_valid_before", + "type": "date" + }, + { + "deprecated": "7.8.0", + "description": "Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid.", + "name": "certificate_not_valid_after", + "type": "date" + }, + { + "description": "TLS layer round trip times.\n", + "fields": [ + { + "description": "Time required to finish TLS handshake based on already available network connection.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "handshake", + "type": "group" + } + ], + "name": "rtt", + "type": "group" + }, + { + "description": "Detailed x509 certificate metadata", + "fields": [ + { + "fields": [ + { + "default_field": false, + "description": "List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.", + "example": "*.elastic.co", + "ignore_above": 1024, + "name": "alternative_names", + "type": "keyword" + }, + { + "fields": [ + { + "default_field": false, + "description": "List of common name (CN) of issuing certificate authority.", + "example": "DigiCert SHA2 High Assurance Server CA", + "ignore_above": 1024, + "multi_fields": [ + { + "analyzer": "simple", + "name": "text", + "type": "text" + } + ], + "name": "common_name", + "type": "keyword" + }, + { + "default_field": false, + "description": "Distinguished name (DN) of issuing certificate authority.", + "example": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA", + "ignore_above": 1024, + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + }, + { + "default_field": false, + "description": "Time at which the certificate is no longer considered valid.", + "example": "2020-07-16T03:15:39+00:00", + "name": "not_after", + "type": "date" + }, + { + "default_field": false, + "description": "Time at which the certificate is first considered valid.", + "example": "2019-08-16T01:40:25+00:00", + "name": "not_before", + "type": "date" + }, + { + "default_field": false, + "description": "Algorithm used to generate the public key.", + "example": "RSA", + "ignore_above": 1024, + "name": "public_key_algorithm", + "type": "keyword" + }, + { + "default_field": false, + "description": "The curve used by the elliptic curve public key algorithm. This is algorithm specific.", + "example": "nistp521", + "ignore_above": 1024, + "name": "public_key_curve", + "type": "keyword" + }, + { + "default_field": false, + "description": "Exponent used to derive the public key. This is algorithm specific.", + "example": 65537, + "name": "public_key_exponent", + "type": "long" + }, + { + "default_field": false, + "description": "The size of the public key space in bits.", + "example": 2048, + "name": "public_key_size", + "type": "long" + }, + { + "default_field": false, + "description": "Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.", + "example": "55FBB9C7DEBF09809D12CCAA", + "ignore_above": 1024, + "name": "serial_number", + "type": "keyword" + }, + { + "default_field": false, + "description": "Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).", + "example": "SHA256-RSA", + "ignore_above": 1024, + "name": "signature_algorithm", + "type": "keyword" + }, + { + "fields": [ + { + "default_field": false, + "description": "List of common names (CN) of subject.", + "example": "r2.shared.global.fastly.net", + "ignore_above": 1024, + "multi_fields": [ + { + "analyzer": "simple", + "name": "text", + "type": "text" + } + ], + "name": "common_name", + "type": "keyword" + }, + { + "default_field": false, + "description": "Distinguished name (DN) of the certificate subject entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "ignore_above": 1024, + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + }, + { + "default_field": false, + "description": "Version of x509 format.", + "example": 3, + "ignore_above": 1024, + "name": "version_number", + "type": "keyword" + } + ], + "name": "x509", + "type": "group" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "tls", + "type": "group" + } + ], + "key": "tls", + "title": "TLS encryption layer" + } + ] + } + } + } + }, + "http": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": null, + "fields": [ + { + "description": "HTTP related fields.\n", + "fields": [ + { + "description": "Service url used by monitor.\n", + "migration": true, + "name": "url", + "path": "url.full", + "type": "alias" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Hash of the full response body. Can be used to group responses with identical hashes.\n", + "name": "hash", + "type": "keyword" + } + ], + "name": "body", + "type": "group" + }, + { + "description": "List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown.\n", + "name": "redirects", + "type": "keyword" + }, + { + "description": "The canonical headers of the monitored HTTP response.\n", + "enabled": false, + "name": "headers.*", + "type": "object" + } + ], + "name": "response", + "type": "group" + }, + { + "description": "HTTP layer round trip times.\n", + "fields": [ + { + "description": "Duration between first byte of HTTP request being written and\nresponse being processed by validator. Duration based on already\navailable network connection.\n\nNote: if validator is not reading body or only a prefix, this\n number does not fully represent the total time needed\n to read the body.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "validate", + "type": "group" + }, + { + "description": "Duration of validator required to read and validate the response\nbody.\n\nNote: if validator is not reading body or only a prefix, this\n number does not fully represent the total time needed\n to read the body.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "validate_body", + "type": "group" + }, + { + "description": "Duration of sending the complete HTTP request. Duration based on already available network connection.", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "write_request", + "type": "group" + }, + { + "description": "Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection.", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "response_header", + "type": "group" + }, + { + "description": "Time required to retrieved the content in micro seconds.", + "name": "content.us", + "type": "long" + }, + { + "description": "Duration required to process the HTTP transaction. Starts with\nthe initial TCP connection attempt. Ends with after validator\ndid check the response.\n\nNote: if validator is not reading body or only a prefix, this\n number does not fully represent the total time needed.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "total", + "type": "group" + } + ], + "name": "rtt", + "type": "group" + } + ], + "name": "http", + "type": "group" + } + ], + "key": "http", + "title": "HTTP monitor" + } + ] + } + } + } + }, + "icmp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": null, + "fields": [ + { + "description": "IP ping fields.\n", + "fields": [ + { + "description": "Number if ICMP EchoRequests send.\n", + "name": "requests", + "type": "integer" + }, + { + "description": "ICMP Echo Request and Reply round trip time", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "rtt", + "type": "group" + } + ], + "name": "icmp", + "type": "group" + } + ], + "key": "icmp", + "title": "ICMP" + } + ] + } + } + } + }, + "tcp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": null, + "fields": [ + { + "description": "TCP network layer related fields.\n", + "fields": [ + { + "description": "Service port number.\n", + "migration": true, + "name": "port", + "path": "url.port", + "type": "alias" + }, + { + "description": "TCP layer round trip times.\n", + "fields": [ + { + "description": "Duration required to establish a TCP connection based on already available IP address.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "connect", + "type": "group" + }, + { + "description": "Duration of validation step based on existing TCP connection.\n", + "fields": [ + { + "description": "Duration in microseconds", + "name": "us", + "type": "long" + } + ], + "name": "validate", + "type": "group" + } + ], + "name": "rtt", + "type": "group" + } + ], + "name": "tcp", + "type": "group" + } + ], + "key": "tcp", + "title": "TCP layer" + } + ] + } + } + } + } + } + } + } + } + } + }, + "journalbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "Contains common fields available in all event types.\n", + "fields": [ + { + "description": "Fields used by systemd-coredump kernel helper.\n", + "fields": [ + { + "description": "Annotations of messages containing coredumps from system units.\n", + "name": "unit", + "type": "keyword" + }, + { + "description": "Annotations of messages containing coredumps from user units.\n", + "name": "user_unit", + "type": "keyword" + } + ], + "name": "coredump", + "type": "group" + }, + { + "description": "Fields provided by journald.\n", + "fields": [ + { + "description": "Fields to log on behalf of a different program.\n", + "fields": [ + { + "description": "Audit fields of event.\n", + "fields": [ + { + "description": "The login UID of the object process.\n", + "example": 1000, + "name": "login_uid", + "required": false, + "type": "long" + }, + { + "description": "The audit session of the object process.\n", + "example": 3, + "name": "session", + "required": false, + "type": "long" + } + ], + "name": "audit", + "type": "group" + }, + { + "description": "The command line of the process.\n", + "example": "/lib/systemd/systemd --user", + "name": "cmd", + "required": false, + "type": "keyword" + }, + { + "description": "Name of the executable.\n", + "example": "/lib/systemd/systemd", + "name": "name", + "required": false, + "type": "keyword" + }, + { + "description": "Path to the the executable.\n", + "example": "/lib/systemd/systemd", + "name": "executable", + "required": false, + "type": "keyword" + }, + { + "description": "UID of the object process.\n", + "name": "uid", + "required": false, + "type": "long" + }, + { + "description": "GID of the object process.\n", + "name": "gid", + "required": false, + "type": "long" + }, + { + "description": "PID of the object process.\n", + "name": "pid", + "required": false, + "type": "long" + }, + { + "description": "Systemd fields of event.\n", + "fields": [ + { + "description": "The UID of the owner.\n", + "name": "owner_uid", + "required": false, + "type": "long" + }, + { + "description": "The ID of the systemd session.\n", + "name": "session", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the systemd unit.\n", + "name": "unit", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the systemd user unit.\n", + "name": "user_unit", + "required": false, + "type": "keyword" + } + ], + "name": "systemd", + "type": "group" + } + ], + "name": "object", + "type": "group" + }, + { + "description": "Fields to log on behalf of a different program.\n", + "fields": [ + { + "description": "The kernel device name.\n", + "name": "device", + "required": false, + "type": "keyword" + }, + { + "description": "The kernel subsystem name.\n", + "name": "subsystem", + "required": false, + "type": "keyword" + }, + { + "description": "Additional symlink names pointing to the device node in /dev.\n", + "name": "device_symlinks", + "required": false, + "type": "keyword" + }, + { + "description": "The device node path of this device in /dev.\n", + "name": "device_node_path", + "required": false, + "type": "keyword" + }, + { + "description": "The kernel device name as it shows up in the device tree below /sys.\n", + "name": "device_name", + "required": false, + "type": "keyword" + } + ], + "name": "kernel", + "type": "group" + }, + { + "description": "Fields of the code generating the event.\n", + "fields": [ + { + "description": "The name of the source file where the log is generated.\n", + "example": "../src/core/manager.c", + "name": "file", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the function which generated the log message.\n", + "example": "job_log_status_message", + "name": "function", + "required": false, + "type": "keyword" + }, + { + "description": "The line number of the code which generated the log message.\n", + "example": 123, + "name": "line", + "required": false, + "type": "long" + } + ], + "name": "code", + "type": "group" + }, + { + "description": "Fields to log on behalf of a different program.\n", + "fields": [ + { + "description": "Audit fields of event.\n", + "fields": [ + { + "description": "The login UID of the source process.\n", + "example": 1000, + "name": "loginuid", + "required": false, + "type": "long" + }, + { + "description": "The audit session of the source process.\n", + "example": 3, + "name": "session", + "required": false, + "type": "long" + } + ], + "name": "audit", + "type": "group" + }, + { + "description": "The command line of the process.\n", + "example": "/lib/systemd/systemd --user", + "name": "cmd", + "required": false, + "type": "keyword" + }, + { + "description": "Name of the executable.\n", + "example": "/lib/systemd/systemd", + "name": "name", + "required": false, + "type": "keyword" + }, + { + "description": "Path to the the executable.\n", + "example": "/lib/systemd/systemd", + "name": "executable", + "required": false, + "type": "keyword" + }, + { + "description": "The ID of the process which logged the message.\n", + "example": 1, + "name": "pid", + "required": false, + "type": "long" + }, + { + "description": "The ID of the group which runs the process.\n", + "example": 1, + "name": "gid", + "required": false, + "type": "long" + }, + { + "description": "The ID of the user which runs the process.\n", + "example": 1, + "name": "uid", + "required": false, + "type": "long" + }, + { + "description": "The effective capabilites of the process.\n", + "name": "capabilites", + "required": false + } + ], + "name": "process", + "type": "group" + } + ], + "name": "journald", + "type": "group" + }, + { + "description": "Fields of systemd.\n", + "fields": [ + { + "description": "The invocation ID for the runtime cycle of the unit the message was generated in.\n", + "example": "8450f1672de646c88cd133aadd4f2d70", + "name": "invocation_id", + "required": false, + "type": "keyword" + }, + { + "description": "The control group path in the systemd hierarchy.\n", + "example": "/user.slice/user-1234.slice/session-2.scope", + "name": "cgroup", + "required": false, + "type": "keyword" + }, + { + "description": "The owner UID of the systemd user unit or systemd session.\n", + "name": "owner_uid", + "required": false, + "type": "long" + }, + { + "description": "The ID of the systemd session.\n", + "name": "session", + "required": false, + "type": "keyword" + }, + { + "description": "The systemd slice unit.\n", + "example": "user-1234.slice", + "name": "slice", + "required": false, + "type": "keyword" + }, + { + "description": "The systemd user slice unit.\n", + "name": "user_slice", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the systemd unit.\n", + "example": "nginx.service", + "name": "unit", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the systemd user unit.\n", + "example": "user-1234.slice", + "name": "user_unit", + "required": false, + "type": "keyword" + }, + { + "description": "How the log message was received by journald.\n", + "example": "syslog", + "name": "transport", + "required": true, + "type": "keyword" + } + ], + "name": "systemd", + "type": "group" + }, + { + "description": "Fields of the host.\n", + "fields": [ + { + "description": "The boot ID for the boot the log was generated in.\n", + "example": "dd8c974asdf01dbe2ef26d7fasdf264c9", + "name": "boot_id", + "required": false, + "type": "keyword" + } + ], + "name": "host", + "type": "group" + }, + { + "description": "Fields of the code generating the event.\n", + "fields": [ + { + "description": "The priority of the message. A syslog compatibility field.\n", + "example": 1, + "name": "priority", + "required": false, + "type": "long" + }, + { + "description": "The facility of the message. A syslog compatibility field.\n", + "example": 1, + "name": "facility", + "required": false, + "type": "long" + }, + { + "description": "The identifier of the message. A syslog compatibility field.\n", + "example": "su", + "name": "identifier", + "required": false, + "type": "keyword" + } + ], + "name": "syslog", + "type": "group" + }, + { + "description": "Arbitrary fields coming from processes.\n", + "name": "custom", + "required": false, + "type": "nested" + }, + { + "migration": true, + "name": "read_timestamp", + "path": "event.created", + "type": "alias" + }, + { + "fields": [ + { + "fields": [ + { + "description": "User defined tag of a container.\n", + "name": "tag", + "type": "keyword" + } + ], + "name": "log", + "type": "group" + } + ], + "name": "container", + "type": "group" + } + ], + "key": "common", + "title": "Common Journalbeat" + } + ] + } + } + } + }, + "libbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "anchor": "beat-common", + "description": "Contains common beat fields available in all event types.\n", + "fields": [ + { + "description": "Deprecated - use agent.name or agent.id to identify an agent. Hostname of the agent.\n", + "name": "agent.hostname", + "type": "keyword" + }, + { + "migration": true, + "name": "beat.timezone", + "path": "event.timezone", + "type": "alias" + }, + { + "description": "Contains user configurable fields.\n", + "name": "fields", + "object_type": "keyword", + "type": "object" + }, + { + "migration": true, + "name": "beat.name", + "path": "host.name", + "type": "alias" + }, + { + "migration": true, + "name": "beat.hostname", + "path": "agent.hostname", + "type": "alias" + }, + { + "description": "Time series instance id", + "name": "timeseries.instance", + "type": "keyword" + } + ], + "key": "beat", + "title": "Beat" + } + ] + } + }, + "autodiscover": { + "folders": { + "providers": { + "folders": { + "aws": { + "folders": { + "ec2": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "AWS EC2 Listeners\n", + "fields": [ + { + "description": "Represents an AWS EC2 Listener, e.g. state of an EC2.\n", + "fields": [ + { + "description": "The EC2 instance architecture (i386 | x86_64 | arm64 ).", + "name": "architecture", + "type": "keyword" + }, + { + "description": "The ID of the image used to launch the instance.", + "name": "image.id", + "type": "keyword" + }, + { + "description": "The kernel associated with this instance, if applicable.", + "name": "kernel.id", + "type": "keyword" + }, + { + "description": "Indicates whether detailed monitoring is enabled (disabled | enabled).", + "name": "monitoring.state", + "type": "keyword" + }, + { + "description": "The private DNS name.", + "name": "private.dns_name", + "type": "keyword" + }, + { + "description": "The IPv4 address of the network interface within the subnet.", + "name": "private.ip", + "type": "keyword" + }, + { + "description": "The public DNS name.", + "name": "public.dns_name", + "type": "keyword" + }, + { + "description": "The public IPv4 address assigned to the instance, if applicable.", + "name": "public.ip", + "type": "keyword" + }, + { + "description": "The device name of the root device volume (for example, /dev/sda1).", + "name": "root_device_name", + "type": "keyword" + }, + { + "description": "The reason code for the state change.", + "name": "state.code", + "type": "keyword" + }, + { + "description": "A message that describes the state change.", + "name": "state.name", + "type": "keyword" + }, + { + "description": "The ID of the subnet in which the instance is running.", + "name": "subnet.id", + "type": "keyword" + }, + { + "description": "The ID of the VPC that the instance is running in.", + "name": "vpc.id", + "type": "keyword" + }, + { + "description": "Tag key value pairs from aws resources.", + "name": "tags.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "aws.ec2", + "type": "group" + } + ], + "key": "aws.ec2", + "release": "experimental", + "short_config": false, + "title": "EC2 Listener" + } + ] + } + } + } + }, + "elb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "AWS ELB Listeners\n", + "fields": [ + { + "description": "Represents an AWS ELB Listener, e.g. a port on an ELB.\n", + "fields": [ + { + "description": "Whether this is an ipv4 or dual-stack IP", + "example": "ipv4", + "name": "ip_address_type", + "required": true, + "type": "keyword" + }, + { + "description": "Current state of the ELB", + "example": "active", + "name": "state", + "type": "keyword" + }, + { + "description": "Whether this is an application or network loadbalancer", + "example": "application", + "name": "type", + "type": "keyword" + }, + { + "description": "The application layer protocol", + "example": "HTTP", + "name": "protocol", + "type": "keyword" + }, + { + "description": "ID of the VPC", + "example": "vpc-123456", + "name": "vpc_id", + "type": "keyword" + }, + { + "description": "The specific SSL policy", + "name": "ssl_policy", + "type": "keyword" + }, + { + "description": "ARN for the ELB itself", + "example": "arn:aws:elasticloadbalancing:us-east-1:331574139922:loadbalancer/app/testytesty/a14c9934d2a6e438", + "name": "load_balancer_arn", + "type": "keyword" + }, + { + "description": "List of security groups for this", + "example": "sg-a1b555d4", + "name": "security_groups", + "type": "keyword" + }, + { + "description": "Date of creation", + "example": "2019-06-12T21:55:14.490000+00:00", + "name": "created", + "type": "date" + }, + { + "description": "List of AZs this is active in", + "example": "us-east-1e", + "name": "availability_zones", + "type": "keyword" + }, + { + "description": "the hostname for this ELB", + "example": "testytesty-141141146.us-east-1.elb.amazonaws.com", + "name": "host", + "type": "keyword" + }, + { + "description": "ARN for this ELB listener", + "example": "arn:aws:elasticloadbalancing:us-east-1:334575128422:listener/app/testytesty/b74b9934c5a6e438/0e8425ad18d4d529", + "name": "listener_arn", + "type": "keyword" + }, + { + "description": "whether this ELB is internet facing or internal-only", + "example": "internet-facing", + "name": "scheme", + "type": "keyword" + }, + { + "description": "Port number for this listener", + "example": 8080, + "name": "port", + "type": "number" + } + ], + "name": "aws.elb", + "type": "group" + } + ], + "key": "aws.elb", + "release": "experimental", + "short_config": false, + "title": "ELB Listener" + } + ] + } + } + } + } + } + }, + "jolokia": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Metadata from Jolokia Discovery added by the jolokia provider.\n", + "fields": [ + { + "description": "Version number of jolokia agent.\n", + "name": "jolokia.agent.version", + "type": "keyword" + }, + { + "description": "Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.\n", + "name": "jolokia.agent.id", + "type": "keyword" + }, + { + "description": "The container product if detected.\n", + "name": "jolokia.server.product", + "type": "keyword" + }, + { + "description": "The container's version (if detected).\n", + "name": "jolokia.server.version", + "type": "keyword" + }, + { + "description": "The vendor of the container the agent is running in.\n", + "name": "jolokia.server.vendor", + "type": "keyword" + }, + { + "description": "The URL how this agent can be contacted.\n", + "name": "jolokia.url", + "type": "keyword" + }, + { + "description": "Whether the agent was configured for authentication or not.\n", + "name": "jolokia.secured", + "type": "boolean" + } + ], + "key": "jolokia-autodiscover", + "title": "Jolokia Discovery autodiscover provider" + } + ] + } + } + } + } + } + } + } + }, + "kibana": { + "folders": { + "testdata": { + "files": { + "fields.yml": [ + { + "fields": [ + { + "enabled": false, + "fields": [ + { + "name": "message", + "type": "text" + } + ], + "name": "group_disabled", + "type": "group" + }, + { + "format": "url", + "input_format": "string", + "label_template": "long template", + "name": "long", + "output_format": "float", + "output_precision": 5, + "type": "long", + "url_template": [ + { + "min_version": "5.0.0", + "value": "_a=(query:(query_string:(analyze_wildcard:!t,query:'error.grouping_key:%22{{value}}%22')))" + }, + { + "min_version": "6.0.0", + "value": "_a=(query:(language:kuery,query:'context.app.name:\"{{value}}\"'))" + } + ] + }, + { + "name": "alias", + "path": "long", + "type": "alias" + } + ], + "key": "test", + "kibana": { + "source_filters": [ + "user.name", + "url.*" + ] + }, + "title": "Test fields.yml" + }, + { + "fields": [ + { + "index": true, + "multi_fields": [ + { + "name": "keyword", + "type": "keyword" + } + ], + "name": "multifield_field", + "type": "text" + }, + { + "description": "Some binary blob.\n", + "name": "blob", + "type": "binary" + } + ], + "key": "with source filter", + "kibana": { + "source_filters": [ + "user.email" + ] + }, + "title": "Test" + } + ] + }, + "folders": { + "extensive": { + "files": { + "fields.yml": [ + { + "description": "Contains common beat fields available in all event types.\n", + "fields": [ + { + "description": "The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.\n", + "name": "beat.name" + }, + { + "description": "The hostname as returned by the operating system on which the Beat is running.\n", + "name": "beat.hostname" + }, + { + "description": "The timezone as returned by the operating system on which the Beat is running.\n", + "name": "beat.timezone" + }, + { + "description": "The version of the beat that generated this event.\n", + "name": "beat.version" + }, + { + "description": "The timestamp when the event log record was generated.\n", + "example": "August 26th 2016, 12:35:53.332", + "format": "date", + "name": "@timestamp", + "required": true, + "type": "date" + }, + { + "description": "Arbitrary tags that can be set per Beat and per transaction type.\n", + "name": "tags" + }, + { + "description": "Contains user configurable fields.\n", + "name": "fields", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Error fields containing additional info in case of errors.\n", + "fields": [ + { + "description": "Error message.\n", + "name": "message", + "type": "text" + }, + { + "description": "Error code.\n", + "name": "code", + "type": "long" + }, + { + "description": "Error type.\n", + "name": "type", + "type": "keyword" + } + ], + "name": "error", + "type": "group" + } + ], + "key": "beat", + "title": "Beat" + }, + { + "description": "Metadata from cloud providers added by the add_cloud_metadata processor.\n", + "fields": [ + { + "description": "Name of the cloud provider. Possible values are ec2, gce, or digitalocean.\n", + "example": "ec2", + "name": "meta.cloud.provider" + }, + { + "description": "Instance ID of the host machine.\n", + "name": "meta.cloud.instance_id" + }, + { + "description": "Instance name of the host machine.\n", + "name": "meta.cloud.instance_name" + }, + { + "description": "Machine type of the host machine.\n", + "example": "t2.medium", + "name": "meta.cloud.machine_type" + }, + { + "description": "Availability zone in which this host is running.\n", + "example": "us-east-1c", + "name": "meta.cloud.availability_zone" + }, + { + "description": "Name of the project in Google Cloud.\n", + "example": "project-x", + "name": "meta.cloud.project_id" + }, + { + "description": "Region in which this host is running.\n", + "name": "meta.cloud.region" + } + ], + "key": "cloud", + "title": "Cloud provider metadata" + }, + { + "anchor": "docker-processor", + "description": "beta[]\nDocker stats collected from Docker.\n", + "fields": [ + { + "fields": [ + { + "description": "Unique container id.\n", + "name": "container.id", + "type": "keyword" + }, + { + "description": "Name of the image the container was built on.\n", + "name": "container.image", + "type": "keyword" + }, + { + "description": "Container name.\n", + "name": "container.name", + "type": "keyword" + }, + { + "description": "Image labels.\n", + "name": "container.labels", + "object_type": "keyword", + "type": "object" + } + ], + "name": "docker", + "type": "group" + } + ], + "key": "docker", + "short_config": false, + "title": "Docker" + }, + { + "anchor": "kubernetes-processor", + "description": "beta[]\nKubernetes metadata added by the kubernetes processor\n", + "fields": [ + { + "fields": [ + { + "description": "Kubernetes pod name\n", + "name": "pod.name", + "type": "keyword" + }, + { + "description": "Kubernetes namespace\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "Kubernetes labels map\n", + "name": "labels", + "type": "object" + }, + { + "description": "Kubernetes annotations map\n", + "name": "annotations", + "type": "object" + }, + { + "description": "Kubernetes container name\n", + "name": "container.name", + "type": "keyword" + }, + { + "description": "Kubernetes container image\n", + "name": "container.image", + "type": "keyword" + } + ], + "name": "kubernetes", + "type": "group" + } + ], + "key": "kubernetes", + "short_config": false, + "title": "Kubernetes" + }, + { + "description": "Contains common fields available in all event types.\n", + "fields": [ + { + "description": "The name of the module that generated the event.\n", + "name": "metricset.module" + }, + { + "description": "The name of the metricset that generated the event.\n", + "name": "metricset.name" + }, + { + "description": "Hostname of the machine from which the metricset was collected. This field may not be present when the data was collected locally.\n", + "name": "metricset.host" + }, + { + "description": "Event round trip time in microseconds.\n", + "name": "metricset.rtt", + "required": true, + "type": "long" + }, + { + "description": "Namespace of dynamic metricsets.\n", + "name": "metricset.namespace", + "type": "keyword" + }, + { + "description": "The document type. Always set to \"metricsets\".\n", + "example": "metricsets", + "name": "type", + "required": true + } + ], + "key": "common", + "title": "Common" + }, + { + "description": "experimental[]\nAerospike module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "namespace\n", + "fields": [ + { + "description": "Client stats.\n", + "fields": [ + { + "description": "Client delete transactions stats.\n", + "fields": [ + { + "description": "Number of client delete transactions that failed with an error.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of client delete transactions that resulted in a not found.\n", + "name": "not_found", + "type": "long" + }, + { + "description": "Number of successful client delete transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client delete transactions that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "delete", + "type": "group" + }, + { + "description": "Client read transactions stats.\n", + "fields": [ + { + "description": "Number of client read transaction errors.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of client read transaction that resulted in not found.\n", + "name": "not_found", + "type": "long" + }, + { + "description": "Number of successful client read transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client read transaction that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "description": "Client write transactions stats.\n", + "fields": [ + { + "description": "Number of client write transactions that failed with an error.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of successful client write transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client write transactions that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "write", + "type": "group" + } + ], + "name": "client", + "type": "group" + }, + { + "description": "Disk storage stats\n", + "fields": [ + { + "description": "Measures the minimum contiguous disk space across all disks in a namespace.\n", + "format": "percent", + "name": "available.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of disk capacity free for this namespace.\n", + "format": "percent", + "name": "free.pct", + "type": "scaled_float" + }, + { + "description": "Total bytes of disk space allocated to this namespace on this node.\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Total bytes of disk space used by this namespace on this node.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "device", + "type": "group" + }, + { + "description": "If true, Aerospike has breached 'high-water-[disk|memory]-pct' for this namespace.\n", + "name": "hwm_breached", + "type": "boolean" + }, + { + "description": "Memory storage stats.\n", + "fields": [ + { + "description": "Percentage of memory capacity free for this namespace on this node.\n", + "format": "percent", + "name": "free.pct", + "type": "scaled_float" + }, + { + "description": "Amount of memory occupied by data for this namespace on this node.\n", + "format": "bytes", + "name": "used.data.bytes", + "type": "long" + }, + { + "description": "Amount of memory occupied by the index for this namespace on this node.\n", + "format": "bytes", + "name": "used.index.bytes", + "type": "long" + }, + { + "description": "Amount of memory occupied by secondary indexes for this namespace on this node.\n", + "format": "bytes", + "name": "used.sindex.bytes", + "type": "long" + }, + { + "description": "Total bytes of memory used by this namespace on this node.\n", + "format": "bytes", + "name": "used.total.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Namespace name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Node host\n", + "name": "node.host", + "type": "keyword" + }, + { + "description": "Node name\n", + "name": "node.name", + "type": "keyword" + }, + { + "description": "Records stats.\n", + "fields": [ + { + "description": "Number of records on this node which are active masters.\n", + "name": "master", + "type": "long" + }, + { + "description": "Number of records in this namespace for this node.\n", + "name": "total", + "type": "long" + } + ], + "name": "objects", + "type": "group" + }, + { + "description": "If true this namespace is currently not allowing writes.\n", + "name": "stop_writes", + "type": "boolean" + } + ], + "name": "namespace", + "type": "group" + } + ], + "name": "aerospike", + "type": "group" + } + ], + "key": "aerospike", + "title": "Aerospike" + }, + { + "description": "Apache HTTPD server metricsets collected from the Apache web server.\n", + "fields": [ + { + "description": "`apache` contains the metrics that were scraped from Apache.\n", + "fields": [ + { + "description": "`status` contains the metrics that were scraped from the Apache status page.\n", + "fields": [ + { + "description": "Apache hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Total number of access requests.\n", + "name": "total_accesses", + "type": "long" + }, + { + "description": "Total number of kilobytes served.\n", + "name": "total_kbytes", + "type": "long" + }, + { + "description": "Requests per second.\n", + "name": "requests_per_sec", + "type": "scaled_float" + }, + { + "description": "Bytes per second.\n", + "name": "bytes_per_sec", + "type": "scaled_float" + }, + { + "description": "Bytes per request.\n", + "name": "bytes_per_request", + "type": "scaled_float" + }, + { + "description": "Number of busy workers.\n", + "name": "workers.busy", + "type": "long" + }, + { + "description": "Number of idle workers.\n", + "name": "workers.idle", + "type": "long" + }, + { + "description": "Uptime stats.\n", + "fields": [ + { + "description": "Server uptime in seconds.\n", + "name": "server_uptime", + "type": "long" + }, + { + "description": "Server uptime.\n", + "name": "uptime", + "type": "long" + } + ], + "name": "uptime", + "type": "group" + }, + { + "description": "CPU stats.\n", + "fields": [ + { + "description": "CPU Load.\n", + "name": "load", + "type": "scaled_float" + }, + { + "description": "CPU user load.\n", + "name": "user", + "type": "scaled_float" + }, + { + "description": "System cpu.\n", + "name": "system", + "type": "scaled_float" + }, + { + "description": "CPU of children user.\n", + "name": "children_user", + "type": "scaled_float" + }, + { + "description": "CPU of children system.\n", + "name": "children_system", + "type": "scaled_float" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Connection stats.\n", + "fields": [ + { + "description": "Total connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Async connection writing.\n", + "name": "async.writing", + "type": "long" + }, + { + "description": "Async keeped alive connections.\n", + "name": "async.keep_alive", + "type": "long" + }, + { + "description": "Async closed connections.\n", + "name": "async.closing", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Load averages.\n", + "fields": [ + { + "description": "Load average for the last minute.\n", + "name": "1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 5 minutes.\n", + "name": "5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 15 minutes.\n", + "name": "15", + "scaling_factor": 100, + "type": "scaled_float" + } + ], + "name": "load", + "type": "group" + }, + { + "description": "Scoreboard metrics.\n", + "fields": [ + { + "description": "Starting up.\n", + "name": "starting_up", + "type": "long" + }, + { + "description": "Reading requests.\n", + "name": "reading_request", + "type": "long" + }, + { + "description": "Sending Reply.\n", + "name": "sending_reply", + "type": "long" + }, + { + "description": "Keep alive.\n", + "name": "keepalive", + "type": "long" + }, + { + "description": "Dns Lookups.\n", + "name": "dns_lookup", + "type": "long" + }, + { + "description": "Closing connections.\n", + "name": "closing_connection", + "type": "long" + }, + { + "description": "Logging\n", + "name": "logging", + "type": "long" + }, + { + "description": "Gracefully finishing.\n", + "name": "gracefully_finishing", + "type": "long" + }, + { + "description": "Idle cleanups.\n", + "name": "idle_cleanup", + "type": "long" + }, + { + "description": "Open slots.\n", + "name": "open_slot", + "type": "long" + }, + { + "description": "Waiting for connections.\n", + "name": "waiting_for_connection", + "type": "long" + }, + { + "description": "Total.\n", + "name": "total", + "type": "long" + } + ], + "name": "scoreboard", + "type": "group" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "apache", + "type": "group" + } + ], + "key": "apache", + "short_config": false, + "title": "Apache" + }, + { + "description": "beta[]\nCeph module\n", + "fields": [ + { + "description": "`ceph` contains the metrics that were scraped from CEPH.\n", + "fields": [ + { + "description": "cluster_disk\n", + "fields": [ + { + "description": "Available bytes of the cluster\n", + "format": "bytes", + "name": "available.bytes", + "type": "long" + }, + { + "description": "Total bytes of the cluster\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Used bytes of the cluster\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "cluster_disk", + "type": "group" + }, + { + "description": "cluster_health\n", + "fields": [ + { + "description": "Overall status of the cluster\n", + "name": "overall_status", + "type": "keyword" + }, + { + "description": "Map version\n", + "name": "timechecks.epoch", + "type": "long" + }, + { + "description": "timecheck round\n", + "name": "timechecks.round.value", + "type": "long" + }, + { + "description": "Status of the round\n", + "name": "timechecks.round.status", + "type": "keyword" + } + ], + "name": "cluster_health", + "type": "group" + }, + { + "description": "cluster_status\n", + "fields": [ + { + "description": "Ceph Status version\n", + "name": "version", + "type": "long" + }, + { + "description": "Cluster read throughput per second\n", + "format": "bytes", + "name": "traffic.read_bytes", + "type": "long" + }, + { + "description": "Cluster write throughput per second\n", + "format": "bytes", + "name": "traffic.write_bytes", + "type": "long" + }, + { + "description": "Cluster read iops per second\n", + "name": "traffic.read_op_per_sec", + "type": "long" + }, + { + "description": "Cluster write iops per second\n", + "name": "traffic.write_op_per_sec", + "type": "long" + }, + { + "description": "Cluster misplace pg number\n", + "name": "misplace.total", + "type": "long" + }, + { + "description": "Cluster misplace objects number\n", + "name": "misplace.objects", + "type": "long" + }, + { + "description": "Cluster misplace ratio\n", + "format": "percent", + "name": "misplace.ratio", + "type": "scaled_float" + }, + { + "description": "Cluster degraded pg number\n", + "name": "degraded.total", + "type": "long" + }, + { + "description": "Cluster degraded objects number\n", + "name": "degraded.objects", + "type": "long" + }, + { + "description": "Cluster degraded ratio\n", + "format": "percent", + "name": "degraded.ratio", + "type": "scaled_float" + }, + { + "description": "Cluster pg data bytes\n", + "format": "bytes", + "name": "pg.data_bytes", + "type": "long" + }, + { + "description": "Cluster available bytes\n", + "format": "bytes", + "name": "pg.avail_bytes", + "type": "long" + }, + { + "description": "Cluster total bytes\n", + "format": "bytes", + "name": "pg.total_bytes", + "type": "long" + }, + { + "description": "Cluster used bytes\n", + "format": "bytes", + "name": "pg.used_bytes", + "type": "long" + }, + { + "description": "Pg state description\n", + "name": "pg_state.state_name", + "type": "long" + }, + { + "description": "Shows how many pgs are in state of pg_state.state_name\n", + "name": "pg_state.count", + "type": "long" + }, + { + "description": "Cluster status version\n", + "name": "pg_state.version", + "type": "long" + }, + { + "description": "Is osd full\n", + "name": "osd.full", + "type": "boolean" + }, + { + "description": "Is osd near full\n", + "name": "osd.nearfull", + "type": "boolean" + }, + { + "description": "Shows how many osds in the cluster\n", + "name": "osd.num_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of UP\n", + "name": "osd.num_up_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of IN\n", + "name": "osd.num_in_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of REMAPPED\n", + "name": "osd.num_in_osds2", + "type": "long" + }, + { + "description": "epoch number\n", + "name": "osd.epoch", + "type": "long" + } + ], + "name": "cluster_status", + "type": "group" + }, + { + "description": "monitor_health stats data\n", + "fields": [ + { + "description": "Available percent of the MON\n", + "name": "available.pct", + "type": "long" + }, + { + "description": "Health of the MON\n", + "name": "health", + "type": "keyword" + }, + { + "description": "Available KB of the MON\n", + "name": "available.kb", + "type": "long" + }, + { + "description": "Total KB of the MON\n", + "name": "total.kb", + "type": "long" + }, + { + "description": "Used KB of the MON\n", + "name": "used.kb", + "type": "long" + }, + { + "description": "Time when was updated\n", + "name": "last_updated", + "type": "date" + }, + { + "description": "Name of the MON\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Log bytes of MON\n", + "format": "bytes", + "name": "store_stats.log.bytes", + "type": "long" + }, + { + "description": "Misc bytes of MON\n", + "format": "bytes", + "name": "store_stats.misc.bytes", + "type": "long" + }, + { + "description": "SST bytes of MON\n", + "format": "bytes", + "name": "store_stats.sst.bytes", + "type": "long" + }, + { + "description": "Total bytes of MON\n", + "format": "bytes", + "name": "store_stats.total.bytes", + "type": "long" + }, + { + "description": "Last updated\n", + "name": "store_stats.last_updated", + "type": "long" + } + ], + "name": "monitor_health", + "type": "group" + }, + { + "description": "pool_disk\n", + "fields": [ + { + "description": "Id of the pool\n", + "name": "id", + "type": "long" + }, + { + "description": "Name of the pool\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Available bytes of the pool\n", + "format": "bytes", + "name": "stats.available.bytes", + "type": "long" + }, + { + "description": "Number of objects of the pool\n", + "name": "stats.objects", + "type": "long" + }, + { + "description": "Used bytes of the pool\n", + "format": "bytes", + "name": "stats.used.bytes", + "type": "long" + }, + { + "description": "Used kb of the pool\n", + "name": "stats.used.kb", + "type": "long" + } + ], + "name": "pool_disk", + "type": "group" + } + ], + "name": "ceph", + "type": "group" + } + ], + "key": "ceph", + "short_config": false, + "title": "Ceph" + }, + { + "description": "beta[]\nMetrics collected from Couchbase servers.\n", + "fields": [ + { + "description": "`couchbase` contains the metrics that were scraped from Couchbase.\n", + "fields": [ + { + "description": "Couchbase bucket metrics.\n", + "fields": [ + { + "description": "Name of the bucket.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Type of the bucket.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Size of user data within buckets of the specified state that are resident in RAM.\n", + "format": "bytes", + "name": "data.used.bytes", + "type": "long" + }, + { + "description": "Number of disk fetches.\n", + "name": "disk.fetches", + "type": "long" + }, + { + "description": "Amount of disk used (bytes).\n", + "format": "bytes", + "name": "disk.used.bytes", + "type": "long" + }, + { + "description": "Amount of memory used by the bucket (bytes).\n", + "format": "bytes", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Amount of RAM used by the bucket (bytes).\n", + "format": "bytes", + "name": "quota.ram.bytes", + "type": "long" + }, + { + "description": "Percentage of RAM used (for active objects) against the configured bucket size (%).\n", + "format": "percent", + "name": "quota.use.pct", + "type": "scaled_float" + }, + { + "description": "Number of operations per second.\n", + "name": "ops_per_sec", + "type": "long" + }, + { + "description": "Number of items associated with the bucket.\n", + "name": "item_count", + "type": "long" + } + ], + "name": "bucket", + "type": "group" + }, + { + "description": "Couchbase cluster metrics.\n", + "fields": [ + { + "description": "Free hard drive space in the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.free.bytes", + "type": "long" + }, + { + "description": "Hard drive quota total for the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.quota.total.bytes", + "type": "long" + }, + { + "description": "Total hard drive space available to the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.total.bytes", + "type": "long" + }, + { + "description": "Hard drive space used by the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.used.value.bytes", + "type": "long" + }, + { + "description": "Hard drive space used by the data in the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.used.by_data.bytes", + "type": "long" + }, + { + "description": "Max bucket count setting.\n", + "name": "max_bucket_count", + "type": "long" + }, + { + "description": "Memory quota setting for the Index service (Mbyte).\n", + "name": "quota.index_memory.mb", + "type": "long" + }, + { + "description": "Memory quota setting for the cluster (Mbyte).\n", + "name": "quota.memory.mb", + "type": "long" + }, + { + "description": "RAM quota total for the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.total.value.bytes", + "type": "long" + }, + { + "description": "RAM quota used by the current node in the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.total.per_node.bytes", + "type": "long" + }, + { + "description": "RAM quota used by the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.used.value.bytes", + "type": "long" + }, + { + "description": "Ram quota used by the current node in the cluster (bytes)\n", + "format": "bytes", + "name": "ram.quota.used.per_node.bytes", + "type": "long" + }, + { + "description": "Total RAM available to cluster (bytes).\n", + "format": "bytes", + "name": "ram.total.bytes", + "type": "long" + }, + { + "description": "RAM used by the cluster (bytes).\n", + "format": "bytes", + "name": "ram.used.value.bytes", + "type": "long" + }, + { + "description": "RAM used by the data in the cluster (bytes).\n", + "format": "bytes", + "name": "ram.used.by_data.bytes", + "type": "long" + } + ], + "name": "cluster", + "type": "group" + }, + { + "description": "Couchbase node metrics.\n", + "fields": [ + { + "description": "Number of get commands\n", + "name": "cmd_get", + "type": "long" + }, + { + "description": "Amount of disk space used by Couch docs (bytes).\n", + "format": "bytes", + "name": "couch.docs.disk_size.bytes", + "type": "long" + }, + { + "description": "Data size of Couch docs associated with a node (bytes).\n", + "format": "bytes", + "name": "couch.docs.data_size.bytes", + "type": "long" + }, + { + "description": "Size of object data for spatial views (bytes).\n", + "name": "couch.spatial.data_size.bytes", + "type": "long" + }, + { + "description": "Amount of disk space used by spatial views (bytes).\n", + "name": "couch.spatial.disk_size.bytes", + "type": "long" + }, + { + "description": "Amount of disk space used by Couch views (bytes).\n", + "name": "couch.views.disk_size.bytes", + "type": "long" + }, + { + "description": "Size of object data for Couch views (bytes).\n", + "name": "couch.views.data_size.bytes", + "type": "long" + }, + { + "description": "The CPU utilization rate (%).\n", + "name": "cpu_utilization_rate.pct", + "type": "scaled_float" + }, + { + "description": "Number of current items.\n", + "name": "current_items.value", + "type": "long" + }, + { + "description": "Total number of items associated with the node.\n", + "name": "current_items.total", + "type": "long" + }, + { + "description": "Number of disk fetches performed since the server was started.\n", + "name": "ep_bg_fetched", + "type": "long" + }, + { + "description": "Number of get hits.\n", + "name": "get_hits", + "type": "long" + }, + { + "description": "The hostname of the node.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Amount of memcached memory allocated (bytes).\n", + "format": "bytes", + "name": "mcd_memory.allocated.bytes", + "type": "long" + }, + { + "description": "Amount of memcached memory reserved (bytes).\n", + "name": "mcd_memory.reserved.bytes", + "type": "long" + }, + { + "description": "Amount of memory free for the node (bytes).\n", + "name": "memory.free.bytes", + "type": "long" + }, + { + "description": "Total memory available to the node (bytes).\n", + "name": "memory.total.bytes", + "type": "long" + }, + { + "description": "Memory used by the node (bytes).\n", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Number of operations performed on Couchbase.\n", + "name": "ops", + "type": "long" + }, + { + "description": "Total swap size allocated (bytes).\n", + "name": "swap.total.bytes", + "type": "long" + }, + { + "description": "Amount of swap space used (bytes).\n", + "name": "swap.used.bytes", + "type": "long" + }, + { + "description": "Time during which the node was in operation (sec).\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Number of items/documents that are replicas.\n", + "name": "vb_replica_curr_items", + "type": "long" + } + ], + "name": "node", + "type": "group" + } + ], + "name": "couchbase", + "type": "group" + } + ], + "key": "couchbase", + "short_config": false, + "title": "Couchbase" + }, + { + "description": "beta[]\nDocker stats collected from Docker.\n", + "fields": [ + { + "description": "Information and statistics about docker's running containers.\n", + "fields": [ + { + "description": "Docker container metrics.\n", + "fields": [ + { + "description": "Command that was executed in the Docker container.\n", + "name": "command", + "type": "keyword" + }, + { + "description": "Date when the container was created.\n", + "name": "created", + "type": "date" + }, + { + "description": "Container status.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Container size metrics.\n", + "fields": [ + { + "description": "Total size of all the files in the container.\n", + "name": "root_fs", + "type": "long" + }, + { + "description": "Size of the files that have been created or changed since creation.\n", + "name": "rw", + "type": "long" + } + ], + "name": "size", + "type": "group" + }, + { + "description": "Image tags.\n", + "name": "tags", + "type": "array" + } + ], + "name": "container", + "type": "group" + }, + { + "description": "Runtime CPU metrics.\n", + "fields": [ + { + "description": "The system kernel consumed by the Docker server.\n", + "format": "percent", + "name": "kernel.pct", + "type": "scaled_float" + }, + { + "description": "CPU kernel ticks.\n", + "name": "kernel.ticks", + "type": "long" + }, + { + "description": "", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "CPU system ticks.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "CPU user ticks\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "Total CPU usage.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Disk I/O metrics.\n", + "fields": [ + { + "description": "Number of reads.\n", + "name": "reads", + "type": "scaled_float" + }, + { + "description": "Number of writes.\n", + "name": "writes", + "type": "scaled_float" + }, + { + "description": "Number of reads and writes combined.\n", + "name": "total", + "type": "scaled_float" + } + ], + "name": "diskio", + "type": "group" + }, + { + "description": "Docker container metrics.\n", + "fields": [ + { + "description": "concurent failed check\n", + "name": "failingstreak", + "type": "integer" + }, + { + "description": "Healthcheck status code\n", + "name": "status", + "type": "keyword" + }, + { + "description": "event fields.\n", + "fields": [ + { + "description": "Healthcheck end date\n", + "name": "end_date", + "type": "date" + }, + { + "description": "Healthcheck start date\n", + "name": "start_date", + "type": "date" + }, + { + "description": "Healthcheck output\n", + "name": "output", + "type": "keyword" + }, + { + "description": "Healthcheck status code\n", + "name": "exit_code", + "type": "integer" + } + ], + "name": "event", + "type": "group" + } + ], + "name": "healthcheck", + "type": "group" + }, + { + "description": "Docker image metrics.\n", + "fields": [ + { + "description": "The image layers identifier.\n", + "fields": [ + { + "description": "Unique image identifier given upon its creation.\n", + "name": "current", + "type": "keyword" + }, + { + "description": "Identifier of the image, if it exists, from which the current image directly descends.\n", + "name": "parent", + "type": "keyword" + } + ], + "name": "id", + "type": "group" + }, + { + "description": "Date and time when the image was created.\n", + "name": "created", + "type": "date" + }, + { + "description": "Image size layers.\n", + "fields": [ + { + "description": "Size of the image.\n", + "name": "virtual", + "type": "long" + }, + { + "description": "Total size of the all cached images associated to the current image.\n", + "name": "regular", + "type": "long" + } + ], + "name": "size", + "type": "group" + }, + { + "description": "Image labels.\n", + "name": "labels", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Image tags.\n", + "name": "tags", + "type": "array" + } + ], + "name": "image", + "type": "group" + }, + { + "description": "beta[]\nInfo metrics based on https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information.\n", + "fields": [ + { + "description": "Overall container stats.\n", + "fields": [ + { + "description": "Total number of paused containers.\n", + "name": "paused", + "type": "long" + }, + { + "description": "Total number of running containers.\n", + "name": "running", + "type": "long" + }, + { + "description": "Total number of stopped containers.\n", + "name": "stopped", + "type": "long" + }, + { + "description": "Total number of existing containers.\n", + "name": "total", + "type": "long" + } + ], + "name": "containers", + "type": "group" + }, + { + "description": "Unique Docker host identifier.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Total number of existing images.\n", + "name": "images", + "type": "long" + } + ], + "name": "info", + "type": "group" + }, + { + "description": "Memory metrics.\n", + "fields": [ + { + "description": "Fail counter.\n", + "name": "fail.count", + "type": "scaled_float" + }, + { + "description": "Memory limit.\n", + "format": "bytes", + "name": "limit", + "type": "long" + }, + { + "description": "RSS memory stats.\n", + "fields": [ + { + "description": "Total memory resident set size.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Memory resident set size percentage.\n", + "format": "percent", + "name": "pct", + "type": "scaled_float" + } + ], + "name": "rss", + "type": "group" + }, + { + "description": "Usage memory stats.\n", + "fields": [ + { + "description": "Max memory usage.\n", + "format": "bytes", + "name": "max", + "type": "long" + }, + { + "description": "Memory usage percentage.\n", + "format": "percent", + "name": "pct", + "type": "scaled_float" + }, + { + "description": "Total memory usage.\n", + "format": "bytes", + "name": "total", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Network metrics.\n", + "fields": [ + { + "description": "Network interface name.\n", + "name": "interface", + "type": "keyword" + }, + { + "description": "Incoming network stats.\n", + "fields": [ + { + "description": "Total number of incoming bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped incoming packets.\n", + "name": "dropped", + "type": "scaled_float" + }, + { + "description": "Total errors on incoming packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of incoming packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "in", + "type": "group" + }, + { + "description": "Outgoing network stats.\n", + "fields": [ + { + "description": "Total number of outgoing bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped outgoing packets.\n", + "name": "dropped", + "type": "scaled_float" + }, + { + "description": "Total errors on outgoing packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of outgoing packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "out", + "type": "group" + } + ], + "name": "network", + "type": "group" + } + ], + "name": "docker", + "type": "group" + } + ], + "key": "docker", + "short_config": false, + "title": "Docker" + }, + { + "description": "beta[]\nStats collected from Dropwizard.\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "dropwizard", + "type": "group" + } + ], + "key": "dropwizard", + "short_config": false, + "title": "Dropwizard" + }, + { + "description": "experimental[]\nElasticsearch module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Elasticsearch cluster name.\n", + "name": "cluster.name", + "type": "keyword" + }, + { + "description": "node\n", + "fields": [ + { + "description": "Heap init used by the JVM in bytes.\n", + "format": "bytes", + "name": "jvm.memory.heap_init.bytes", + "type": "long" + }, + { + "description": "JVM version.\n", + "name": "jvm.version", + "type": "keyword" + }, + { + "description": "Node name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Node version.\n", + "name": "version", + "type": "keyword" + } + ], + "name": "node", + "type": "group" + }, + { + "description": "node_stats\n", + "fields": [ + { + "description": "Node indices stats\n", + "fields": [ + { + "description": "Total number of existing documents.\n", + "name": "docs.count", + "type": "long" + }, + { + "description": "Total number of deleted documents.\n", + "name": "docs.deleted", + "type": "long" + }, + { + "description": "Total number of segments.\n", + "name": "segments.count", + "type": "long" + }, + { + "description": "Total size of segments in bytes.\n", + "format": "bytes", + "name": "segments.memory.bytes", + "type": "long" + }, + { + "description": "Total size of the store in bytes.\n", + "name": "store.size.bytes", + "type": "long" + } + ], + "name": "indices", + "type": "group" + }, + { + "description": "JVM memory pool stats\n", + "fields": [ + { + "description": "Old memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "old", + "type": "group" + }, + { + "description": "Young memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "young", + "type": "group" + }, + { + "description": "Survivor memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "survivor", + "type": "group" + } + ], + "name": "jvm.mem.pools", + "type": "group" + }, + { + "description": "GC collector stats.\n", + "fields": [ + { + "description": "Old collection gc.\n", + "fields": [ + { + "description": "", + "name": "count", + "type": "long" + }, + { + "description": "", + "name": "ms", + "type": "long" + } + ], + "name": "old.collection", + "type": "group" + }, + { + "description": "Young collection gc.\n", + "fields": [ + { + "description": "", + "name": "count", + "type": "long" + }, + { + "description": "", + "name": "ms", + "type": "long" + } + ], + "name": "young.collection", + "type": "group" + } + ], + "name": "jvm.gc.collectors", + "type": "group" + } + ], + "name": "node.stats", + "type": "group" + } + ], + "name": "elasticsearch", + "type": "group" + } + ], + "key": "elasticsearch", + "short_config": false, + "title": "Elasticsearch" + }, + { + "description": "Golang module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "expvar\n", + "fields": [ + { + "description": "The cmdline of this golang program start with.\n", + "name": "cmdline", + "type": "keyword" + } + ], + "name": "expvar", + "type": "group" + }, + { + "description": "The golang program heap information exposed by expvar.\n", + "fields": [ + { + "description": "The cmdline of this golang program start with.\n", + "name": "cmdline", + "type": "keyword" + }, + { + "description": "Garbage collector summary.\n", + "fields": [ + { + "description": "Total GC pause duration over lifetime of process.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "total_pause", + "type": "group" + }, + { + "description": "Total number of GC was happened.\n", + "name": "total_count", + "type": "long" + }, + { + "description": "Next collection will happen when HeapAlloc > this amount.\n", + "format": "bytes", + "name": "next_gc_limit", + "type": "long" + }, + { + "description": "Fraction of CPU time used by GC.\n", + "name": "cpu_fraction", + "type": "long" + }, + { + "description": "Last GC pause durations during the monitoring period.\n", + "fields": [ + { + "description": "Count of GC pause duration during this collect period.\n", + "name": "count", + "type": "long" + }, + { + "description": "Total GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "sum", + "type": "group" + }, + { + "description": "Max GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "max", + "type": "group" + }, + { + "description": "Average GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "avg", + "type": "group" + } + ], + "name": "pause", + "type": "group" + } + ], + "name": "gc", + "type": "group" + }, + { + "description": "Heap summary,which bytes was obtained from system.\n", + "fields": [ + { + "description": "Total bytes obtained from system (sum of XxxSys below).\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse.\n", + "format": "bytes", + "name": "obtained", + "type": "long" + }, + { + "description": "Bytes used by stack allocator, and these bytes was obtained from system.\n", + "format": "bytes", + "name": "stack", + "type": "long" + }, + { + "description": "Bytes released to the OS.\n", + "format": "bytes", + "name": "released", + "type": "long" + } + ], + "name": "system", + "type": "group" + }, + { + "description": "Heap allocations summary.\n", + "fields": [ + { + "description": "Number of mallocs.\n", + "name": "mallocs", + "type": "long" + }, + { + "description": "Number of frees.\n", + "name": "frees", + "type": "long" + }, + { + "description": "Total number of allocated objects.\n", + "name": "objects", + "type": "long" + }, + { + "description": "Bytes allocated (even if freed) throughout the lifetime.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Bytes allocated and not yet freed (same as Alloc above).\n", + "format": "bytes", + "name": "allocated", + "type": "long" + }, + { + "description": "Bytes in idle spans.\n", + "format": "bytes", + "name": "idle", + "type": "long" + }, + { + "description": "Bytes in non-idle span.\n", + "format": "bytes", + "name": "active", + "type": "long" + } + ], + "name": "allocations", + "type": "group" + } + ], + "name": "heap", + "type": "group" + } + ], + "name": "golang", + "type": "group" + } + ], + "key": "golang", + "short_config": false, + "title": "Golang" + }, + { + "description": "[]experimental\ngraphite Module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "server\n", + "fields": [ + { + "description": "Example field\n", + "name": "example", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + } + ], + "name": "graphite", + "type": "group" + } + ], + "key": "graphite", + "title": "graphite" + }, + { + "description": "HAProxy Module\n", + "fields": [ + { + "description": "HAProxy metrics.\n", + "fields": [ + { + "description": "General information about HAProxy processes.\n", + "fields": [ + { + "description": "Number of processes.\n", + "name": "processes", + "type": "long" + }, + { + "description": "Process number.\n", + "name": "process_num", + "type": "long" + }, + { + "description": "Process ID.\n", + "name": "pid", + "type": "long" + }, + { + "description": "", + "name": "run_queue", + "type": "long" + }, + { + "description": "", + "name": "tasks", + "type": "long" + }, + { + "description": "Current uptime in seconds.\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes).\n", + "format": "bytes", + "name": "memory.max.bytes", + "type": "long" + }, + { + "description": "Maximum number of open files for the process.\n", + "name": "ulimit_n", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "", + "name": "in", + "type": "long" + }, + { + "description": "", + "name": "out", + "type": "long" + }, + { + "description": "", + "name": "rate_limit", + "type": "long" + } + ], + "name": "bps", + "type": "group" + } + ], + "name": "compress", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "", + "name": "value", + "type": "long" + }, + { + "description": "", + "name": "limit", + "type": "long" + }, + { + "description": "", + "name": "max", + "type": "long" + } + ], + "name": "rate", + "type": "group" + }, + { + "description": "Current connections.\n", + "name": "current", + "type": "long" + }, + { + "description": "Total connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Current SSL connections.\n", + "name": "ssl.current", + "type": "long" + }, + { + "description": "Total SSL connections.\n", + "name": "ssl.total", + "type": "long" + }, + { + "description": "Maximum SSL connections.\n", + "name": "ssl.max", + "type": "long" + }, + { + "description": "Maximum connections.\n", + "name": "max", + "type": "long" + }, + { + "description": "", + "name": "hard_max", + "type": "long" + } + ], + "name": "connection", + "type": "group" + }, + { + "description": "", + "name": "requests.total", + "type": "long" + }, + { + "description": "", + "name": "sockets.max", + "type": "long" + }, + { + "description": "", + "name": "requests.max", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "used", + "type": "integer" + }, + { + "description": "", + "name": "free", + "type": "integer" + }, + { + "description": "", + "name": "max", + "type": "integer" + } + ], + "name": "pipes", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": "", + "name": "rate.value", + "type": "integer" + }, + { + "description": "", + "name": "rate.limit", + "type": "integer" + }, + { + "description": "", + "name": "rate.max", + "type": "integer" + } + ], + "name": "session", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "rate.value", + "type": "integer" + }, + { + "description": null, + "name": "rate.limit", + "type": "integer" + }, + { + "description": null, + "name": "rate.max", + "type": "integer" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "key_rate.value", + "type": "integer" + }, + { + "description": null, + "name": "key_rate.max", + "type": "integer" + }, + { + "description": null, + "format": "percent", + "name": "session_reuse.pct", + "type": "scaled_float" + } + ], + "name": "frontend", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "key_rate.value", + "type": "integer" + }, + { + "description": "MaxConnRate", + "name": "key_rate.max", + "type": "integer" + } + ], + "name": "backend", + "type": "group" + }, + { + "description": null, + "name": "cached_lookups", + "type": "long" + }, + { + "description": null, + "name": "cache_misses", + "type": "long" + } + ], + "name": "ssl", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "value", + "type": "integer" + }, + { + "description": "", + "name": "max", + "type": "integer" + } + ], + "name": "zlib_mem_usage", + "type": "group" + }, + { + "description": "", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + } + ], + "name": "info", + "type": "group" + }, + { + "description": "Stats collected from HAProxy processes.\n", + "fields": [ + { + "description": "Status (UP, DOWN, NOLB, MAINT, or MAINT(via)...).\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Total weight (for backends), or server weight (for servers).\n", + "name": "weight", + "type": "long" + }, + { + "description": "Total downtime (in seconds). For backends, this value is the downtime for the whole backend, not the sum of the downtime for the servers.\n", + "name": "downtime", + "type": "long" + }, + { + "description": "Component type (0=frontend, 1=backend, 2=server, or 3=socket/listener).\n", + "name": "component_type", + "type": "integer" + }, + { + "description": "Process ID (0 for first instance, 1 for second, and so on).\n", + "name": "process_id", + "type": "integer" + }, + { + "description": "Service name (FRONTEND for frontend, BACKEND for backend, or any name for server/listener).\n", + "name": "service_name", + "type": "keyword" + }, + { + "description": "Bytes in.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "Bytes out.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "Number of seconds since the last UP->DOWN or DOWN->UP transition.\n", + "name": "last_change", + "type": "integer" + }, + { + "description": "Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive.\n", + "format": "percent", + "name": "throttle.pct", + "type": "scaled_float" + }, + { + "description": "Total number of times a server was selected, either for new sessions, or when re-dispatching. For servers, this field reports the the number of times the server was selected.\n", + "name": "selected.total", + "type": "long" + }, + { + "description": "ID of the proxy/server if tracking is enabled.\n", + "name": "tracked.id", + "type": "long" + }, + { + "fields": [ + { + "description": "Cumulative number of connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Number of times a connection to a server was retried.\n", + "name": "retried", + "type": "long" + }, + { + "description": "Average connect time in ms over the last 1024 requests.\n", + "name": "time.avg", + "type": "long" + } + ], + "name": "connection", + "type": "group" + }, + { + "fields": [ + { + "description": "Requests denied because of security concerns.\n\n * For TCP this is because of a matched tcp-request content rule.\n * For HTTP this is because of a matched http-request or tarpit rule.\n", + "name": "denied", + "type": "long" + }, + { + "description": "Current queued requests. For backends, this field reports the number of requests queued without a server assigned.\n", + "name": "queued.current", + "type": "long" + }, + { + "description": "Maximum value of queued.current.\n", + "name": "queued.max", + "type": "long" + }, + { + "description": "Request errors. Some of the possible causes are:\n\n * early termination from the client, before the request has been sent\n * read error from the client\n * client timeout\n * client closed connection\n * various bad requests from the client.\n * request was tarpitted.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Number of times a request was redispatched to another server. For servers, this field reports the number of times the server was switched away from.\n", + "name": "redispatched", + "type": "long" + }, + { + "description": "Number of requests that encountered an error trying to connect to a server. For backends, this field reports the sum of the stat for all backend servers, plus any connection errors not associated with a particular server (such as the backend having no active servers).\n", + "name": "connection.errors", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "Number of HTTP requests per second over the last elapsed second.\n", + "name": "value", + "type": "long" + }, + { + "description": "Maximum number of HTTP requests per second.\n", + "name": "max", + "type": "long" + } + ], + "name": "rate", + "type": "group" + }, + { + "description": "Total number of HTTP requests received.\n", + "name": "total", + "type": "long" + } + ], + "name": "request", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are:\n* write errors on the client socket (won't be counted for the server stat) * failure applying filters to the response\n", + "name": "errors", + "type": "long" + }, + { + "description": "Average response time in ms over the last 1024 requests (0 for TCP).\n", + "name": "time.avg", + "type": "long" + }, + { + "description": "Responses denied because of security concerns. For HTTP this is because of a matched http-request rule, or \"option checkcache\".\n", + "name": "denied", + "type": "integer" + }, + { + "description": "", + "fields": [ + { + "description": "HTTP responses with 1xx code.\n", + "name": "1xx", + "type": "long" + }, + { + "description": "HTTP responses with 2xx code.\n", + "name": "2xx", + "type": "long" + }, + { + "description": "HTTP responses with 3xx code.\n", + "name": "3xx", + "type": "long" + }, + { + "description": "HTTP responses with 4xx code.\n", + "name": "4xx", + "type": "long" + }, + { + "description": "HTTP responses with 5xx code.\n", + "name": "5xx", + "type": "long" + }, + { + "description": "HTTP responses with other codes (protocol error).\n", + "name": "other", + "type": "long" + } + ], + "name": "http", + "type": "group" + } + ], + "name": "response", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of current sessions.\n", + "name": "current", + "type": "long" + }, + { + "description": "Maximum number of sessions.\n", + "name": "max", + "type": "long" + }, + { + "description": "Configured session limit.\n", + "name": "limit", + "type": "long" + }, + { + "fields": [ + { + "description": "Number of sessions per second over the last elapsed second.\n", + "name": "value", + "type": "integer" + }, + { + "description": "Configured limit on new sessions per second.\n", + "name": "limit", + "type": "integer" + }, + { + "description": "Maximum number of new sessions per second.\n", + "name": "max", + "type": "integer" + } + ], + "name": "rate", + "type": "group" + } + ], + "name": "session", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Status of the last health check. One of:\n\n UNK -> unknown\n INI -> initializing\n SOCKERR -> socket error\n L4OK -> check passed on layer 4, no upper layers testing enabled\n L4TOUT -> layer 1-4 timeout\n L4CON -> layer 1-4 connection problem, for example\n \"Connection refused\" (tcp rst) or \"No route to host\" (icmp)\n L6OK -> check passed on layer 6\n L6TOUT -> layer 6 (SSL) timeout\n L6RSP -> layer 6 invalid response - protocol error\n L7OK -> check passed on layer 7\n L7OKC -> check conditionally passed on layer 7, for example 404 with\n disable-on-404\n L7TOUT -> layer 7 (HTTP/SMTP) timeout\n L7RSP -> layer 7 invalid response - protocol error\n L7STS -> layer 7 response error, for example HTTP 5xx\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Layer 5-7 code, if available.\n", + "name": "code", + "type": "long" + }, + { + "description": "Time in ms that it took to finish the last health check.\n", + "name": "duration", + "type": "long" + }, + { + "description": "The result of the last health check.\n", + "name": "health.last", + "type": "keyword" + }, + { + "description": "Number of failed checks.\n", + "name": "health.fail", + "type": "long" + }, + { + "description": "", + "name": "agent.last", + "type": "integer" + }, + { + "description": "Number of checks that failed while the server was up.\n", + "name": "failed", + "type": "long" + }, + { + "description": "Number of UP->DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server.\n", + "name": "down", + "type": "long" + } + ], + "name": "check", + "type": "group" + }, + { + "description": "Number of data transfers aborted by the client.\n", + "name": "client.aborted", + "type": "integer" + }, + { + "description": "", + "fields": [ + { + "description": "Server ID (unique inside a proxy).\n", + "name": "id", + "type": "integer" + }, + { + "description": "Number of data transfers aborted by the server. This value is included in haproxy.stat.response.errors.\n", + "name": "aborted", + "type": "integer" + }, + { + "description": "Number of backend servers that are active, meaning that they are healthy and can receive requests from the load balancer.\n", + "name": "active", + "type": "integer" + }, + { + "description": "Number of backend servers that are backup servers.\n", + "name": "backup", + "type": "integer" + } + ], + "name": "server", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Number of HTTP response bytes fed to the compressor.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "Number of HTTP response bytes emitted by the compressor.\n", + "format": "bytes", + "name": "out.bytes", + "type": "integer" + }, + { + "description": "Number of bytes that bypassed the HTTP compressor (CPU/BW limit).\n", + "format": "bytes", + "name": "bypassed.bytes", + "type": "long" + }, + { + "description": "Number of HTTP responses that were compressed.\n", + "format": "bytes", + "name": "response.bytes", + "type": "long" + } + ], + "name": "compressor", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Unique proxy ID.\n", + "name": "id", + "type": "integer" + }, + { + "description": "Proxy name.\n", + "name": "name", + "type": "keyword" + } + ], + "name": "proxy", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit).\n", + "name": "limit", + "type": "integer" + }, + { + "description": "The average queue time in ms over the last 1024 requests.\n", + "name": "time.avg", + "type": "integer" + } + ], + "name": "queue", + "type": "group" + } + ], + "name": "stat", + "type": "group" + } + ], + "name": "haproxy", + "type": "group" + } + ], + "key": "haproxy", + "short_config": false, + "title": "HAProxy" + }, + { + "description": "HTTP module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "HTTP request information\n", + "fields": [ + { + "description": "The HTTP headers sent\n", + "name": "header", + "type": "object" + }, + { + "description": "The HTTP method used\n", + "name": "method", + "type": "keyword" + }, + { + "description": "The HTTP payload sent\n", + "name": "body", + "type": "keyword" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "HTTP response information\n", + "fields": [ + { + "description": "The HTTP headers received\n", + "name": "header", + "type": "object" + }, + { + "description": "The HTTP status code\n", + "name": "status_code", + "type": "keyword" + }, + { + "description": "The HTTP payload received\n", + "name": "body", + "type": "keyword" + } + ], + "name": "response", + "type": "group" + }, + { + "description": "json metricset\n", + "fields": null, + "name": "json", + "type": "group" + }, + { + "description": "server\n", + "fields": null, + "name": "server", + "type": "group" + } + ], + "name": "http", + "type": "group" + } + ], + "key": "http", + "title": "HTTP" + }, + { + "description": "beta[]\nJolokia module\n", + "fields": [ + { + "description": "jolokia contains metrics exposed via jolokia agent\n", + "fields": null, + "name": "jolokia", + "type": "group" + } + ], + "key": "jolokia", + "short_config": false, + "title": "Jolokia" + }, + { + "description": "Kafka module\nbeta[]\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "consumergroup\n", + "fields": [ + { + "description": "Broker Consumer Group Information have been read from (Broker handling the consumer group).\n", + "fields": [ + { + "description": "Broker id\n", + "name": "id", + "type": "long" + }, + { + "description": "Broker address\n", + "name": "address", + "type": "keyword" + } + ], + "name": "broker", + "type": "group" + }, + { + "description": "Consumer Group ID", + "name": "id", + "type": "keyword" + }, + { + "description": "Topic name", + "name": "topic", + "type": "keyword" + }, + { + "description": "Partition ID", + "name": "partition", + "type": "long" + }, + { + "description": "consumer offset into partition being read", + "name": "offset", + "type": "long" + }, + { + "description": "custom consumer meta data string", + "name": "meta", + "type": "text" + }, + { + "description": "kafka consumer/partition error code.\n", + "name": "error.code", + "type": "long" + }, + { + "description": "Assigned client reading events from partition\n", + "fields": [ + { + "description": "Client ID (kafka setting client.id)", + "name": "id", + "type": "keyword" + }, + { + "description": "Client host", + "name": "host", + "type": "keyword" + }, + { + "description": "internal consumer group member ID", + "name": "member_id", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + } + ], + "name": "consumergroup", + "type": "group" + }, + { + "description": "partition\n", + "fields": [ + { + "description": "Available offsets of the given partition.\n", + "fields": [ + { + "description": "Newest offset of the partition.\n", + "name": "newest", + "type": "long" + }, + { + "description": "Oldest offset of the partition.\n", + "name": "oldest", + "type": "long" + } + ], + "name": "offset", + "type": "group" + }, + { + "description": "Partition data.\n", + "fields": [ + { + "description": "Partition id.\n", + "name": "id", + "type": "long" + }, + { + "description": "Leader id (broker).\n", + "name": "leader", + "type": "long" + }, + { + "description": "List of isr ids.\n", + "name": "isr", + "type": "array" + }, + { + "description": "Replica id (broker).\n", + "name": "replica", + "type": "long" + }, + { + "description": "Indicates if replica is included in the in-sync replicate set (ISR).\n", + "name": "insync_replica", + "type": "boolean" + }, + { + "description": "Error code from fetching partition.\n", + "name": "error.code", + "type": "long" + } + ], + "name": "partition", + "type": "group" + }, + { + "description": "topic error code.\n", + "name": "topic.error.code", + "type": "long" + }, + { + "description": "Topic name\n", + "name": "topic.name", + "type": "keyword" + }, + { + "description": "Broker id\n", + "name": "broker.id", + "type": "long" + }, + { + "description": "Broker address\n", + "name": "broker.address", + "type": "keyword" + } + ], + "name": "partition", + "type": "group" + } + ], + "name": "kafka", + "type": "group" + } + ], + "key": "kafka", + "short_config": false, + "title": "Kafka" + }, + { + "description": "experimental[]\nKibana module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Status fields\n", + "fields": [ + { + "description": "Kibana instance name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Kibana instance uuid.\n", + "name": "uuid", + "type": "keyword" + }, + { + "description": "Kibana version number.\n", + "name": "version.number", + "type": "keyword" + }, + { + "description": "Kibana overall state.\n", + "name": "status.overall.state", + "type": "keyword" + }, + { + "description": "Metrics fields\n", + "fields": [ + { + "description": "Current concurrent connections.\n", + "name": "concurrent_connections", + "type": "long" + }, + { + "description": "Request statistics.\n", + "fields": [ + { + "description": "Total number of disconnected connections.\n", + "name": "disconnects", + "type": "long" + }, + { + "description": "Total number of connections.\n", + "name": "total", + "type": "long" + } + ], + "name": "requests", + "type": "group" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "kibana", + "type": "group" + } + ], + "key": "kibana", + "short_config": false, + "title": "Kibana" + }, + { + "description": "beta[]\nKubernetes metrics\n", + "fields": [ + { + "description": "Information and statistics of pods managed by kubernetes.\n", + "fields": [ + { + "description": "kubernetes container metrics\n", + "fields": [ + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Container CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Logs info\n", + "fields": [ + { + "fields": [ + { + "description": "Logs available capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Logs total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Logs used capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Total available inodes\n", + "name": "count", + "type": "long" + }, + { + "description": "Total free inodes\n", + "name": "free", + "type": "long" + }, + { + "description": "Total used inodes\n", + "name": "used", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "logs", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total available memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Root filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Root filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Root filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Used inodes\n", + "name": "used", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "rootfs", + "type": "group" + } + ], + "name": "container", + "type": "group" + }, + { + "description": "The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes\n", + "fields": [ + { + "description": "Count field records the number of times the particular event has occurred\n", + "fields": [ + { + "fields": [ + { + "description": "Timestamp of first occurrence of event\n", + "name": "first_occurrence", + "type": "date" + }, + { + "description": "Timestamp of last occurrence of event\n", + "name": "last_occurrence", + "type": "date" + } + ], + "name": "timestamp", + "type": "group" + } + ], + "name": "count", + "type": "long" + }, + { + "description": "Message recorded for the given event\n", + "name": "message", + "type": "keyword" + }, + { + "description": "Reason recorded for the given event\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "Type of the given event\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Metadata associated with the given event\n", + "fields": [ + { + "fields": [ + { + "description": "Timestamp of creation of the given event\n", + "name": "created", + "type": "date" + } + ], + "name": "timestamp", + "type": "group" + }, + { + "description": "Name of the event\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Namespace in which event was generated\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "Version of the event resource\n", + "name": "resource_version", + "type": "keyword" + }, + { + "description": "Unique identifier to the event object\n", + "name": "uid", + "type": "keyword" + }, + { + "description": "URL representing the event\n", + "name": "self_link", + "type": "keyword" + } + ], + "name": "metadata", + "type": "group" + }, + { + "description": "Metadata associated with the given involved object\n", + "fields": [ + { + "description": "API version of the object\n", + "name": "api_version", + "type": "keyword" + }, + { + "description": "API kind of the object\n", + "name": "kind", + "type": "keyword" + }, + { + "description": "name of the object\n", + "name": "name", + "type": "keyword" + }, + { + "description": "resource version of the object\n", + "name": "resource_version", + "type": "keyword" + }, + { + "description": "UUID version of the object\n", + "name": "uid", + "type": "keyword" + } + ], + "name": "involved_object", + "type": "group" + } + ], + "name": "event", + "type": "group" + }, + { + "description": "kubernetes node metrics\n", + "fields": [ + { + "description": "Node name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Node CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total available memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Received bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Rx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "rx", + "type": "group" + }, + { + "fields": [ + { + "description": "Transmitted bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Tx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "tx", + "type": "group" + } + ], + "name": "network", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of used inodes\n", + "name": "used", + "type": "long" + }, + { + "description": "Number of inodes\n", + "name": "count", + "type": "long" + }, + { + "description": "Number of free inodes\n", + "name": "free", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "fs", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Image filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Image filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Image filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + } + ], + "name": "imagefs", + "type": "group" + } + ], + "name": "runtime", + "type": "group" + } + ], + "name": "node", + "type": "group" + }, + { + "description": "kubernetes pod metrics\n", + "fields": [ + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Received bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Rx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "rx", + "type": "group" + }, + { + "fields": [ + { + "description": "Transmitted bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Tx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "tx", + "type": "group" + } + ], + "name": "network", + "type": "group" + } + ], + "name": "pod", + "type": "group" + }, + { + "description": "kubernetes container metrics\n", + "fields": [ + { + "description": "Container id", + "name": "id", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Container phase (running, waiting, terminated)\n", + "name": "phase", + "type": "keyword" + }, + { + "description": "Container ready status\n", + "name": "ready", + "type": "boolean" + }, + { + "description": "Container restarts count\n", + "name": "restarts", + "type": "integer" + } + ], + "name": "status", + "type": "group" + }, + { + "fields": [ + { + "description": "Container CPU nanocores limit\n", + "name": "limit.nanocores", + "type": "long" + }, + { + "description": "Container CPU requested nanocores\n", + "name": "request.nanocores", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "description": "Container memory limit in bytes\n", + "format": "bytes", + "name": "limit.bytes", + "type": "long" + }, + { + "description": "Container requested memory in bytes\n", + "format": "bytes", + "name": "request.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + } + ], + "name": "container", + "type": "group" + }, + { + "description": "kubernetes deployment metrics\n", + "fields": [ + { + "description": "Kubernetes deployment name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Kubernetes deployment paused status\n", + "name": "paused", + "type": "boolean" + }, + { + "description": "Kubernetes deployment replicas info\n", + "fields": [ + { + "description": "Deployment number of desired replicas (spec)\n", + "name": "desired", + "type": "integer" + }, + { + "description": "Deployment available replicas\n", + "name": "available", + "type": "integer" + }, + { + "description": "Deployment unavailable replicas\n", + "name": "unavailable", + "type": "integer" + }, + { + "description": "Deployment updated replicas\n", + "name": "updated", + "type": "integer" + } + ], + "name": "replicas", + "type": "group" + } + ], + "name": "deployment", + "type": "group" + }, + { + "description": "kubernetes node metrics\n", + "fields": [ + { + "fields": [ + { + "description": "Node ready status (true, false or unknown)\n", + "name": "ready", + "type": "keyword" + }, + { + "description": "Node unschedulable status\n", + "name": "unschedulable", + "type": "boolean" + } + ], + "name": "status", + "type": "group" + }, + { + "fields": [ + { + "description": "Node CPU allocatable cores\n", + "name": "allocatable.cores", + "type": "float" + }, + { + "description": "Node CPU capacity cores\n", + "name": "capacity.cores", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "description": "Node allocatable memory in bytes\n", + "format": "bytes", + "name": "allocatable.bytes", + "type": "long" + }, + { + "description": "Node memory capacity in bytes\n", + "format": "bytes", + "name": "capacity.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "description": "Node allocatable pods\n", + "name": "allocatable.total", + "type": "long" + }, + { + "description": "Node pod capacity\n", + "name": "capacity.total", + "type": "long" + } + ], + "name": "pod", + "type": "group" + } + ], + "name": "node", + "type": "group" + }, + { + "description": "kubernetes pod metrics\n", + "fields": [ + { + "description": "Kubernetes pod IP\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Kubernetes pod host IP\n", + "name": "host_ip", + "type": "ip" + }, + { + "description": "Kubernetes pod status metrics\n", + "fields": [ + { + "description": "Kubernetes pod phase (Running, Pending...)\n", + "name": "phase", + "type": "keyword" + }, + { + "description": "Kubernetes pod ready status (true, false or unknown)\n", + "name": "ready", + "type": "keyword" + }, + { + "description": "Kubernetes pod scheduled status (true, false, unknown)\n", + "name": "scheduled", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "pod", + "type": "group" + }, + { + "description": "kubernetes replica set metrics\n", + "fields": [ + { + "description": "Kubernetes replica set name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Kubernetes replica set paused status\n", + "fields": [ + { + "description": "The number of replicas per ReplicaSet\n", + "name": "available", + "type": "long" + }, + { + "description": "The number of replicas per ReplicaSet\n", + "name": "desired", + "type": "long" + }, + { + "description": "The number of ready replicas per ReplicaSet\n", + "name": "ready", + "type": "long" + }, + { + "description": "The generation observed by the ReplicaSet controller\n", + "name": "observed", + "type": "long" + }, + { + "description": "The number of fully labeled replicas per ReplicaSet\n", + "name": "labeled", + "type": "long" + } + ], + "name": "replicas", + "type": "group" + } + ], + "name": "replicaset", + "type": "group" + }, + { + "description": "kubernetes system containers metrics\n", + "fields": [ + { + "description": "Container name\n", + "name": "container", + "type": "keyword" + }, + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + } + ], + "name": "system", + "type": "group" + }, + { + "description": "kubernetes volume metrics\n", + "fields": [ + { + "description": "Volume name\n", + "name": "name", + "type": "keyword" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Used inodes\n", + "name": "used", + "type": "long" + }, + { + "description": "Free inodes\n", + "name": "free", + "type": "long" + }, + { + "description": "Total inodes\n", + "name": "count", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "fs", + "type": "group" + } + ], + "name": "volume", + "type": "group" + } + ], + "name": "kubernetes", + "type": "group" + } + ], + "key": "kubernetes", + "short_config": false, + "title": "Kubernetes" + }, + { + "description": "beta[]\nMemcached module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "stats\n", + "fields": [ + { + "description": "Current process ID of the Memcached task.\n", + "name": "pid", + "type": "long" + }, + { + "description": "Memcached server uptime.\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Number of threads used by the current Memcached server process.\n", + "name": "threads", + "type": "long" + }, + { + "description": "Number of open connections to this Memcached server, should be the same value on all servers during normal operation.\n", + "name": "connections.current", + "type": "long" + }, + { + "description": "Numer of successful connect attempts to this server since it has been started.\n", + "name": "connections.total", + "type": "long" + }, + { + "description": "Number of successful \"get\" commands (cache hits) since startup, divide them by the \"cmd_get\" value to get the cache hitrate.\n", + "name": "get.hits", + "type": "long" + }, + { + "description": "Number of failed \"get\" requests because nothing was cached for this key or the cached value was too old.\n", + "name": "get.misses", + "type": "long" + }, + { + "description": "Number of \"get\" commands received since server startup not counting if they were successful or not.\n", + "name": "cmd.get", + "type": "long" + }, + { + "description": "Number of \"set\" commands serviced since startup.\n", + "name": "cmd.set", + "type": "long" + }, + { + "description": "Total number of bytes received from the network by this server.\n", + "formate": "bytes", + "name": "read.bytes", + "type": "long" + }, + { + "description": "Total number of bytes send to the network by this server.\n", + "formate": "bytes", + "name": "written.bytes", + "type": "long" + }, + { + "description": "Number of items currently in this server's cache.\n", + "name": "items.current", + "type": "long" + }, + { + "description": "Number of items stored ever stored on this server. This is no \"maximum item count\" value but a counted increased by every new item stored in the cache.\n", + "formate": "bytes", + "name": "items.total", + "type": "long" + }, + { + "description": "Number of objects removed from the cache to free up memory for new items because Memcached reached it's maximum memory setting (limit_maxbytes).\n", + "formate": "bytes", + "name": "evictions", + "type": "long" + } + ], + "name": "stats", + "type": "group" + } + ], + "name": "memcached", + "type": "group" + } + ], + "key": "memcached", + "short_config": false, + "title": "Memcached" + }, + { + "description": "Metrics collected from MongoDB servers.\n", + "fields": [ + { + "description": "MongoDB metrics.\n", + "fields": [ + { + "description": "dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database.\n", + "fields": [ + { + "format": "bytes", + "name": "avg_obj_size.bytes", + "type": "long" + }, + { + "name": "collections", + "type": "integer" + }, + { + "format": "bytes", + "name": "data_size.bytes", + "type": "long" + }, + { + "name": "db", + "type": "keyword" + }, + { + "format": "bytes", + "name": "file_size.bytes", + "type": "long" + }, + { + "format": "bytes", + "name": "index_size.bytes", + "type": "long" + }, + { + "name": "indexes", + "type": "long" + }, + { + "name": "num_extents", + "type": "long" + }, + { + "name": "objects", + "type": "long" + }, + { + "format": "bytes", + "name": "storage_size.bytes", + "type": "long" + }, + { + "name": "ns_size_mb.mb", + "type": "long" + }, + { + "fields": [ + { + "name": "major", + "type": "long" + }, + { + "name": "minor", + "type": "long" + } + ], + "name": "data_file_version", + "type": "group" + }, + { + "fields": [ + { + "name": "num", + "type": "long" + }, + { + "format": "bytes", + "name": "size.bytes", + "type": "long" + } + ], + "name": "extent_free_list", + "type": "group" + } + ], + "name": "dbstats", + "type": "group" + }, + { + "description": "MongoDB server status metrics.\n", + "fields": [ + { + "description": "Instance version.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Instance uptime in milliseconds.\n", + "name": "uptime.ms", + "type": "long" + }, + { + "description": "Local time as reported by the MongoDB instance.\n", + "name": "local_time", + "type": "date" + }, + { + "description": "Number of regular assertions produced by the server.\n", + "name": "asserts.regular", + "type": "long" + }, + { + "description": "Number of warning assertions produced by the server.\n", + "name": "asserts.warning", + "type": "long" + }, + { + "description": "Number of msg assertions produced by the server.\n", + "name": "asserts.msg", + "type": "long" + }, + { + "description": "Number of user assertions produced by the server.\n", + "name": "asserts.user", + "type": "long" + }, + { + "description": "Number of rollovers assertions produced by the server.\n", + "name": "asserts.rollovers", + "type": "long" + }, + { + "description": "Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine.\n", + "fields": [ + { + "description": "A counter that collects the number of times the database has flushed all writes to disk.\n", + "name": "flushes", + "type": "long" + }, + { + "description": "The total number of milliseconds (ms) that the mongod processes have spent writing (i.e. flushing) data to disk. Because this is an absolute value, consider the value of `flushes` and `average_ms` to provide better context for this datum.\n", + "name": "total.ms", + "type": "long" + }, + { + "description": "The average time spent flushing to disk per flush event.\n", + "name": "average.ms", + "type": "long" + }, + { + "description": "The amount of time, in milliseconds, that the last flush operation took to complete.\n", + "name": "last.ms", + "type": "long" + }, + { + "description": "A timestamp of the last completed flush operation.\n", + "name": "last_finished", + "type": "date" + } + ], + "name": "background_flushing", + "type": "group" + }, + { + "description": "Data regarding the current status of incoming connections and availability of the database server.\n", + "fields": [ + { + "description": "The number of connections to the database server from clients. This number includes the current shell session. Consider the value of `available` to add more context to this datum.\n", + "name": "current", + "type": "long" + }, + { + "description": "The number of unused available incoming connections the database can provide.\n", + "name": "available", + "type": "long" + }, + { + "description": "A count of all incoming connections created to the server. This number includes connections that have since closed.\n", + "name": "total_created", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled.\n", + "fields": [ + { + "description": "The number of transactions written to the journal during the last journal group commit interval.\n", + "name": "commits", + "type": "long" + }, + { + "description": "The amount of data in megabytes (MB) written to journal during the last journal group commit interval.\n", + "name": "journaled.mb", + "type": "long" + }, + { + "description": "The amount of data in megabytes (MB) written from journal to the data files during the last journal group commit interval.\n", + "name": "write_to_data_files.mb", + "type": "long" + }, + { + "description": "The compression ratio of the data written to the journal.\n", + "name": "compression", + "type": "long" + }, + { + "description": "Count of the commits that occurred while a write lock was held. Commits in a write lock indicate a MongoDB node under a heavy write load and call for further diagnosis.\n", + "name": "commits_in_write_lock", + "type": "long" + }, + { + "description": "The number of times MongoDB requested a commit before the scheduled journal group commit interval.\n", + "name": "early_commits", + "type": "long" + }, + { + "description": "Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval.\n", + "fields": [ + { + "description": "The amount of time over which MongoDB collected the times data. Use this field to provide context to the other times field values.\n", + "name": "dt.ms", + "type": "long" + }, + { + "description": "The amount of time spent preparing to write to the journal. Smaller values indicate better journal performance.\n", + "name": "prep_log_buffer.ms", + "type": "long" + }, + { + "description": "The amount of time spent actually writing to the journal. File system speeds and device interfaces can affect performance.\n", + "name": "write_to_journal.ms", + "type": "long" + }, + { + "description": "The amount of time spent writing to data files after journaling. File system speeds and device interfaces can affect performance.\n", + "name": "write_to_data_files.ms", + "type": "long" + }, + { + "description": "The amount of time spent remapping copy-on-write memory mapped views. Smaller values indicate better journal performance.\n", + "name": "remap_private_view.ms", + "type": "long" + }, + { + "description": "The amount of time spent for commits.\n", + "name": "commits.ms", + "type": "long" + }, + { + "description": "The amount of time spent for commits that occurred while a write lock was held.\n", + "name": "commits_in_write_lock.ms", + "type": "long" + } + ], + "name": "times", + "type": "group" + } + ], + "name": "journaling", + "type": "group" + }, + { + "description": "Platform specific data.\n", + "fields": [ + { + "description": "The total size in bytes of heap space used by the database process. Only available on Unix/Linux.\n", + "format": "bytes", + "name": "heap_usage.bytes", + "type": "long" + }, + { + "description": "The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn't available in active memory.\n", + "name": "page_faults", + "type": "long" + } + ], + "name": "extra_info", + "type": "group" + }, + { + "description": "Platform specific data.\n", + "fields": [ + { + "description": "The amount of network traffic, in bytes, received by this database.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "The amount of network traffic, in bytes, sent from this database.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "The total number of requests received by the server.\n", + "name": "requests", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "An overview of database operations by type.\n", + "fields": [ + { + "description": "The total number of insert operations received since the mongod instance last started.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The total number of queries received since the mongod instance last started.\n", + "name": "query", + "type": "long" + }, + { + "description": "The total number of update operations received since the mongod instance last started.\n", + "name": "update", + "type": "long" + }, + { + "description": "The total number of delete operations received since the mongod instance last started.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The total number of getmore operations received since the mongod instance last started.\n", + "name": "getmore", + "type": "long" + }, + { + "description": "The total number of commands issued to the database since the mongod instance last started.\n", + "name": "command", + "type": "long" + } + ], + "name": "opcounters", + "type": "group" + }, + { + "description": "An overview of database replication operations by type.\n", + "fields": [ + { + "description": "The total number of replicated insert operations received since the mongod instance last started.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The total number of replicated queries received since the mongod instance last started.\n", + "name": "query", + "type": "long" + }, + { + "description": "The total number of replicated update operations received since the mongod instance last started.\n", + "name": "update", + "type": "long" + }, + { + "description": "The total number of replicated delete operations received since the mongod instance last started.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The total number of replicated getmore operations received since the mongod instance last started.\n", + "name": "getmore", + "type": "long" + }, + { + "description": "The total number of replicated commands issued to the database since the mongod instance last started.\n", + "name": "command", + "type": "long" + } + ], + "name": "opcounters_replicated", + "type": "group" + }, + { + "description": "Data about the current memory usage of the mongod server.\n", + "fields": [ + { + "description": "Either 64 or 32, depending on which target architecture was specified during the mongod compilation process.\n", + "name": "bits", + "type": "long" + }, + { + "description": "The amount of RAM, in megabytes (MB), currently used by the database process.\n", + "name": "resident.mb", + "type": "long" + }, + { + "description": "The amount, in megabytes (MB), of virtual memory used by the mongod process.\n", + "name": "virtual.mb", + "type": "long" + }, + { + "description": "The amount of mapped memory, in megabytes (MB), used by the database. Because MongoDB uses memory-mapped files, this value is likely to be to be roughly equivalent to the total size of your database or databases.\n", + "name": "mapped.mb", + "type": "long" + }, + { + "description": "The amount of mapped memory, in megabytes (MB), including the memory used for journaling.\n", + "name": "mapped_with_journal.mb", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "True when there are operations from a mongos instance queued for retrying.\n", + "name": "write_backs_queued", + "type": "boolean" + }, + { + "description": "A string that represents the name of the current storage engine.\n", + "name": "storage_engine.name", + "type": "keyword" + }, + { + "description": "Statistics about the WiredTiger storage engine.\n", + "fields": [ + { + "description": "Statistics about the transactions currently in progress.\n", + "fields": [ + { + "description": "Number of concurrent write transaction in progress.\n", + "name": "write.out", + "type": "long" + }, + { + "description": "Number of concurrent write tickets available.\n", + "name": "write.available", + "type": "long" + }, + { + "description": "Number of total write tickets.\n", + "name": "write.total_tickets", + "type": "long" + }, + { + "description": "Number of concurrent read transaction in progress.\n", + "name": "read.out", + "type": "long" + }, + { + "description": "Number of concurrent read tickets available.\n", + "name": "read.available", + "type": "long" + }, + { + "description": "Number of total read tickets.\n", + "name": "read.total_tickets", + "type": "long" + } + ], + "name": "concurrent_transactions", + "type": "group" + }, + { + "description": "Statistics about the cache and page evictions from the cache.\n", + "fields": [ + { + "description": "Maximum cache size.\n", + "format": "bytes", + "name": "maximum.bytes", + "type": "long" + }, + { + "description": "Size in byte of the data currently in cache.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Size in bytes of the dirty data in the cache.\n", + "format": "bytes", + "name": "dirty.bytes", + "type": "long" + }, + { + "description": "Number of pages read into the cache.\n", + "name": "pages.read", + "type": "long" + }, + { + "description": "Number of pages written from the cache.\n", + "name": "pages.write", + "type": "long" + }, + { + "description": "Number of pages evicted from the cache.\n", + "name": "pages.evicted", + "type": "long" + } + ], + "name": "cache", + "type": "group" + }, + { + "description": "Statistics about the write ahead log used by WiredTiger.\n", + "fields": [ + { + "description": "Total log size in bytes.\n", + "format": "bytes", + "name": "size.bytes", + "type": "long" + }, + { + "description": "Number of bytes written into the log.\n", + "format": "bytes", + "name": "write.bytes", + "type": "long" + }, + { + "description": "Maximum file size.\n", + "format": "bytes", + "name": "max_file_size.bytes", + "type": "long" + }, + { + "description": "Number of flush operations.\n", + "name": "flushes", + "type": "long" + }, + { + "description": "Number of write operations.\n", + "name": "writes", + "type": "long" + }, + { + "description": "Number of scan operations.\n", + "name": "scans", + "type": "long" + }, + { + "description": "Number of sync operations.\n", + "name": "syncs", + "type": "long" + } + ], + "name": "log", + "type": "group" + } + ], + "name": "wired_tiger", + "type": "group" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "mongodb", + "type": "group" + } + ], + "key": "mongodb", + "short_config": false, + "title": "MongoDB" + }, + { + "description": "MySQL server status metrics collected from MySQL.\n", + "fields": [ + { + "description": "`mysql` contains the metrics that were obtained from MySQL query.\n", + "fields": [ + { + "description": "`status` contains the metrics that were obtained by the status SQL query.\n", + "fields": [ + { + "description": "Aborted status fields.\n", + "fields": [ + { + "description": "The number of connections that were aborted because the client died without closing the connection properly.\n", + "name": "clients", + "type": "long" + }, + { + "description": "The number of failed attempts to connect to the MySQL server.\n", + "name": "connects", + "type": "long" + } + ], + "name": "aborted", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "cache.disk_use", + "type": "long" + }, + { + "description": "", + "name": "cache.use", + "type": "long" + } + ], + "name": "binlog", + "type": "group" + }, + { + "description": "Bytes stats.\n", + "fields": [ + { + "description": "The number of bytes received from all clients.\n", + "format": "bytes", + "name": "received", + "type": "long" + }, + { + "description": "The number of bytes sent to all clients.\n", + "format": "bytes", + "name": "sent", + "type": "long" + } + ], + "name": "bytes", + "type": "group" + }, + { + "description": "Threads stats.\n", + "fields": [ + { + "description": "The number of cached threads.\n", + "name": "cached", + "type": "long" + }, + { + "description": "The number of created threads.\n", + "name": "created", + "type": "long" + }, + { + "description": "The number of connected threads.\n", + "name": "connected", + "type": "long" + }, + { + "description": "The number of running threads.\n", + "name": "running", + "type": "long" + } + ], + "name": "threads", + "type": "group" + }, + { + "description": "", + "name": "connections", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "tmp.disk_tables", + "type": "long" + }, + { + "description": "", + "name": "tmp.files", + "type": "long" + }, + { + "description": "", + "name": "tmp.tables", + "type": "long" + } + ], + "name": "created", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "errors", + "type": "long" + }, + { + "description": "", + "name": "insert_threads", + "type": "long" + }, + { + "description": "", + "name": "writes", + "type": "long" + } + ], + "name": "delayed", + "type": "group" + }, + { + "description": "", + "name": "flush_commands", + "type": "long" + }, + { + "description": "", + "name": "max_used_connections", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "files", + "type": "long" + }, + { + "description": "", + "name": "streams", + "type": "long" + }, + { + "description": "", + "name": "tables", + "type": "long" + } + ], + "name": "open", + "type": "group" + }, + { + "description": "", + "name": "opened_tables", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "The number of DELETE queries since startup.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The number of INSERT queries since startup.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The number of SELECT queries since startup.\n", + "name": "select", + "type": "long" + }, + { + "description": "The number of UPDATE queries since startup.\n", + "name": "update", + "type": "long" + } + ], + "name": "command", + "type": "group" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "mysql", + "type": "group" + } + ], + "key": "mysql", + "short_config": false, + "title": "MySQL" + }, + { + "description": "Nginx server status metrics collected from various modules.\n", + "fields": [ + { + "description": "`nginx` contains the metrics that were scraped from nginx.\n", + "fields": [ + { + "description": "`stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page.\n", + "fields": [ + { + "description": "Nginx hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "The current number of active client connections including Waiting connections.\n", + "name": "active", + "type": "long" + }, + { + "description": "The total number of accepted client connections.\n", + "name": "accepts", + "type": "long" + }, + { + "description": "The total number of handled client connections.\n", + "name": "handled", + "type": "long" + }, + { + "description": "The total number of dropped client connections.\n", + "name": "dropped", + "type": "long" + }, + { + "description": "The total number of client requests.\n", + "name": "requests", + "type": "long" + }, + { + "description": "The current number of client requests.\n", + "name": "current", + "type": "long" + }, + { + "description": "The current number of connections where Nginx is reading the request header.\n", + "name": "reading", + "type": "long" + }, + { + "description": "The current number of connections where Nginx is writing the response back to the client.\n", + "name": "writing", + "type": "long" + }, + { + "description": "The current number of idle client connections waiting for a request.\n", + "name": "waiting", + "type": "long" + } + ], + "name": "stubstatus", + "type": "group" + } + ], + "name": "nginx", + "type": "group" + } + ], + "key": "nginx", + "short_config": false, + "title": "Nginx" + }, + { + "description": "beta[]\nPHP-FPM server status metrics collected from PHP-FPM.\n", + "fields": [ + { + "description": "`php_fpm` contains the metrics that were obtained from PHP-FPM status page call.\n", + "fields": [ + { + "description": "`pool` contains the metrics that were obtained from the PHP-FPM process pool.\n", + "fields": [ + { + "description": "The name of the pool.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Connection state specific statistics.\n", + "fields": [ + { + "description": "The number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue.\n", + "name": "accepted", + "type": "long" + }, + { + "description": "The current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising `pm.max_children` (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets.\n", + "name": "queued", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Process state specific statistics.\n", + "fields": [ + { + "description": "The number of servers in the `waiting to process` state (i.e. not currently serving a page). This value should fall between the `pm.min_spare_servers` and `pm.max_spare_servers` values when the process manager is `dynamic`.\n", + "name": "idle", + "type": "long" + }, + { + "description": "The number of servers current processing a page - the minimum is `1` (so even on a fully idle server, the result will be not read `0`).\n", + "name": "active", + "type": "long" + } + ], + "name": "processes", + "type": "group" + }, + { + "description": "The number of times a request execution time has exceeded `request_slowlog_timeout`.\n", + "name": "slow_requests", + "type": "long" + } + ], + "name": "pool", + "type": "group" + } + ], + "name": "php_fpm", + "type": "group" + } + ], + "key": "php_fpm", + "short_config": false, + "title": "PHP_FPM" + }, + { + "description": "Metrics collected from PostgreSQL servers.\n", + "fields": [ + { + "description": "PostgreSQL metrics.\n", + "fields": [ + { + "description": "One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity.\n", + "fields": [ + { + "description": "OID of the database this backend is connected to.\n", + "name": "database.oid", + "type": "long" + }, + { + "description": "Name of the database this backend is connected to.\n", + "name": "database.name", + "type": "keyword" + }, + { + "description": "Process ID of this backend.\n", + "name": "pid", + "type": "long" + }, + { + "description": "OID of the user logged into this backend.\n", + "name": "user.id", + "type": "long" + }, + { + "description": "Name of the user logged into this backend.\n", + "name": "user.name" + }, + { + "description": "Name of the application that is connected to this backend.\n", + "name": "application_name" + }, + { + "description": "IP address of the client connected to this backend.\n", + "name": "client.address" + }, + { + "description": "Host name of the connected client, as reported by a reverse DNS lookup of client_addr.\n", + "name": "client.hostname" + }, + { + "description": "TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used.\n", + "name": "client.port", + "type": "long" + }, + { + "description": "Time when this process was started, i.e., when the client connected to the server.\n", + "name": "backend_start", + "type": "date" + }, + { + "description": "Time when this process' current transaction was started.\n", + "name": "transaction_start", + "type": "date" + }, + { + "description": "Time when the currently active query was started, or if state is not active, when the last query was started.\n", + "name": "query_start", + "type": "date" + }, + { + "description": "Time when the state was last changed.\n", + "name": "state_change", + "type": "date" + }, + { + "description": "True if this backend is currently waiting on a lock.\n", + "name": "waiting", + "type": "boolean" + }, + { + "description": "Current overall state of this backend. Possible values are:\n\n * active: The backend is executing a query.\n * idle: The backend is waiting for a new client command.\n * idle in transaction: The backend is in a transaction, but is not\n currently executing a query.\n * idle in transaction (aborted): This state is similar to idle in\n transaction, except one of the statements in the transaction caused\n an error.\n * fastpath function call: The backend is executing a fast-path function.\n * disabled: This state is reported if track_activities is disabled in this backend.\n", + "name": "state" + }, + { + "description": "Text of this backend's most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed.\n", + "name": "query" + } + ], + "name": "activity", + "type": "group" + }, + { + "description": "Statistics about the background writer process's activity. Collected using the pg_stat_bgwriter query.\n", + "fields": [ + { + "description": "Number of scheduled checkpoints that have been performed.\n", + "name": "checkpoints.scheduled", + "type": "long" + }, + { + "description": "Number of requested checkpoints that have been performed.\n", + "name": "checkpoints.requested", + "type": "long" + }, + { + "description": "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds.\n", + "name": "checkpoints.times.write.ms", + "type": "float" + }, + { + "description": "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds.\n", + "name": "checkpoints.times.sync.ms", + "type": "float" + }, + { + "description": "Number of buffers written during checkpoints.\n", + "name": "buffers.checkpoints", + "type": "long" + }, + { + "description": "Number of buffers written by the background writer.\n", + "name": "buffers.clean", + "type": "long" + }, + { + "description": "Number of times the background writer stopped a cleaning scan because it had written too many buffers.\n", + "name": "buffers.clean_full", + "type": "long" + }, + { + "description": "Number of buffers written directly by a backend.\n", + "name": "buffers.backend", + "type": "long" + }, + { + "description": "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)\n", + "name": "buffers.backend_fsync", + "type": "long" + }, + { + "description": "Number of buffers allocated.\n", + "name": "buffers.allocated", + "type": "long" + }, + { + "description": "Time at which these statistics were last reset.\n", + "name": "stats_reset", + "type": "date" + } + ], + "name": "bgwriter", + "type": "group" + }, + { + "description": "One row per database, showing database-wide statistics. Collected by querying pg_stat_database\n", + "fields": [ + { + "description": "OID of the database this backend is connected to.\n", + "name": "oid", + "type": "long" + }, + { + "description": "Name of the database this backend is connected to.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Number of backends currently connected to this database.\n", + "name": "number_of_backends", + "type": "long" + }, + { + "description": "Number of transactions in this database that have been committed.\n", + "name": "transactions.commit", + "type": "long" + }, + { + "description": "Number of transactions in this database that have been rolled back.\n", + "name": "transactions.rollback", + "type": "long" + }, + { + "description": "Number of disk blocks read in this database.\n", + "name": "blocks.read", + "type": "long" + }, + { + "description": "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache).\n", + "name": "blocks.hit", + "type": "long" + }, + { + "description": "Time spent reading data file blocks by backends in this database, in milliseconds.\n", + "name": "blocks.time.read.ms", + "type": "long" + }, + { + "description": "Time spent writing data file blocks by backends in this database, in milliseconds.\n", + "name": "blocks.time.write.ms", + "type": "long" + }, + { + "description": "Number of rows returned by queries in this database.\n", + "name": "rows.returned", + "type": "long" + }, + { + "description": "Number of rows fetched by queries in this database.\n", + "name": "rows.fetched", + "type": "long" + }, + { + "description": "Number of rows inserted by queries in this database.\n", + "name": "rows.inserted", + "type": "long" + }, + { + "description": "Number of rows updated by queries in this database.\n", + "name": "rows.updated", + "type": "long" + }, + { + "description": "Number of rows deleted by queries in this database.\n", + "name": "rows.deleted", + "type": "long" + }, + { + "description": "Number of queries canceled due to conflicts with recovery in this database.\n", + "name": "conflicts", + "type": "long" + }, + { + "description": "Number of temporary files created by queries in this database. All temporary files are counted, regardless of why the temporary file was created (e.g., sorting or hashing), and regardless of the log_temp_files setting.\n", + "name": "temporary.files", + "type": "long" + }, + { + "description": "Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting.\n", + "name": "temporary.bytes", + "type": "long" + }, + { + "description": "Number of deadlocks detected in this database.\n", + "name": "deadlocks", + "type": "long" + }, + { + "description": "Time at which these statistics were last reset.\n", + "name": "stats_reset", + "type": "date" + } + ], + "name": "database", + "type": "group" + } + ], + "name": "postgresql", + "type": "group" + } + ], + "key": "postgresql", + "short_config": false, + "title": "PostgreSQL" + }, + { + "description": "beta[]\nStats collected from Prometheus.\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Stats about the Prometheus server.\n", + "fields": [ + { + "description": "Notification stats.\n", + "fields": [ + { + "description": "Current queue length.\n", + "name": "queue_length", + "type": "long" + }, + { + "description": "Number of dropped queue events.\n", + "name": "dropped", + "type": "long" + } + ], + "name": "notifications", + "type": "group" + }, + { + "description": "Number of open file descriptors.\n", + "name": "processes.open_fds", + "type": "long" + }, + { + "description": "Number of memory chunks that are not yet persisted to disk.\n", + "name": "storage.chunks_to_persist", + "type": "long" + } + ], + "name": "stats", + "type": "group" + } + ], + "name": "prometheus", + "type": "group" + } + ], + "key": "prometheus", + "short_config": false, + "title": "Prometheus" + }, + { + "description": "experimental[]\nRabbitMQ module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "node\n", + "fields": [ + { + "description": "Disk free space in bytes.\n", + "format": "bytes", + "name": "disk.free.bytes", + "type": "long" + }, + { + "description": "Point at which the disk alarm will go off.\n", + "format": "bytes", + "name": "disk.free.limit.bytes", + "type": "long" + }, + { + "description": "File descriptors available.\n", + "name": "fd.total", + "type": "long" + }, + { + "description": "Used file descriptors.\n", + "name": "fd.used", + "type": "long" + }, + { + "description": "Number of GC operations.\n", + "name": "gc.num.count", + "type": "long" + }, + { + "description": "GC bytes reclaimed.\n", + "format": "bytes", + "name": "gc.reclaimed.bytes", + "type": "long" + }, + { + "description": "File handle open avg time\n", + "name": "io.file_handle.open_attempt.avg.ms", + "type": "long" + }, + { + "description": "File handle open attempts\n", + "name": "io.file_handle.open_attempt.count", + "type": "long" + }, + { + "description": "File handle read avg time\n", + "name": "io.read.avg.ms", + "type": "long" + }, + { + "description": "Data read in bytes\n", + "format": "bytes", + "name": "io.read.bytes", + "type": "long" + }, + { + "description": "Data read operations\n", + "name": "io.read.count", + "type": "long" + }, + { + "description": "Data reopen operations\n", + "name": "io.reopen.count", + "type": "long" + }, + { + "description": "Data seek avg time\n", + "name": "io.seek.avg.ms", + "type": "long" + }, + { + "description": "Data seek operations\n", + "name": "io.seek.count", + "type": "long" + }, + { + "description": "Data sync avg time\n", + "name": "io.sync.avg.ms", + "type": "long" + }, + { + "description": "Data sync operations\n", + "name": "io.sync.count", + "type": "long" + }, + { + "description": "Data write avg time\n", + "name": "io.write.avg.ms", + "type": "long" + }, + { + "description": "Data write in bytes\n", + "format": "bytes", + "name": "io.write.bytes", + "type": "long" + }, + { + "description": "Data write operations\n", + "name": "io.write.count", + "type": "long" + }, + { + "description": "Point at which the memory alarm will go off.\n", + "format": "bytes", + "name": "mem.limit.bytes", + "type": "long" + }, + { + "description": "Memory used in bytes.\n", + "name": "mem.used.bytes", + "type": "long" + }, + { + "description": "Number of Mnesia transactions which have been performed that required writes to disk.\n", + "name": "mnesia.disk.tx.count", + "type": "long" + }, + { + "description": "Number of Mnesia transactions which have been performed that did not require writes to disk.\n", + "name": "mnesia.ram.tx.count", + "type": "long" + }, + { + "description": "Number of messages which have been read from the message store.\n", + "name": "msg.store_read.count", + "type": "long" + }, + { + "description": "Number of messages which have been written to the message store.\n", + "name": "msg.store_write.count", + "type": "long" + }, + { + "description": "Node name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Maximum number of Erlang processes.\n", + "name": "proc.total", + "type": "long" + }, + { + "description": "Number of Erlang processes in use.\n", + "name": "proc.used", + "type": "long" + }, + { + "description": "Number of cores detected and usable by Erlang.\n", + "name": "processors", + "type": "long" + }, + { + "description": "Number of records written to the queue index journal.\n", + "name": "queue.index.journal_write.count", + "type": "long" + }, + { + "description": "Number of records read from the queue index.\n", + "name": "queue.index.read.count", + "type": "long" + }, + { + "description": "Number of records written to the queue index.\n", + "name": "queue.index.write.count", + "type": "long" + }, + { + "description": "Average number of Erlang processes waiting to run.\n", + "name": "run.queue", + "type": "long" + }, + { + "description": "File descriptors available for use as sockets.\n", + "name": "socket.total", + "type": "long" + }, + { + "description": "File descriptors used as sockets.\n", + "name": "socket.used", + "type": "long" + }, + { + "description": "Node type.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Node uptime.\n", + "name": "uptime", + "type": "long" + } + ], + "name": "node", + "type": "group" + }, + { + "description": "queue\n", + "fields": [ + { + "description": "The name of the queue with non-ASCII characters escaped as in C.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Virtual host name with non-ASCII characters escaped as in C.\n", + "name": "vhost", + "type": "keyword" + }, + { + "description": "Whether or not the queue survives server restarts.\n", + "name": "durable", + "type": "boolean" + }, + { + "description": "Whether the queue will be deleted automatically when no longer used.\n", + "name": "auto_delete", + "type": "boolean" + }, + { + "description": "Whether the queue is exclusive (i.e. has owner_pid).\n", + "name": "exclusive", + "type": "boolean" + }, + { + "description": "Node name.\n", + "name": "node", + "type": "keyword" + }, + { + "description": "The state of the queue. Normally 'running', but may be \"{syncing, MsgCount}\" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of 'down'.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "Maximum number of priority levels for the queue to support.\n", + "name": "arguments.max_priority", + "type": "long" + }, + { + "description": "Number of consumers.\n", + "name": "consumers.count", + "type": "long" + }, + { + "description": "Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count.\n", + "format": "percent", + "name": "consumers.utilisation.pct", + "type": "long" + }, + { + "description": "Sum of ready and unacknowledged messages (queue depth).\n", + "name": "messages.total.count", + "type": "long" + }, + { + "description": "Number of messages ready to be delivered to clients.\n", + "name": "messages.ready.count", + "type": "long" + }, + { + "description": "Number of messages delivered to clients but not yet acknowledged.\n", + "name": "messages.unacknowledged.count", + "type": "long" + }, + { + "description": "Total number of persistent messages in the queue (will always be 0 for transient queues).\n", + "name": "messages.persistent.count", + "type": "long" + }, + { + "description": "Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures.\n", + "format": "bytes", + "name": "memory.bytes", + "type": "long" + }, + { + "description": "Total number of times messages have been read from disk by this queue since it started.\n", + "name": "disk.reads.count", + "type": "long" + }, + { + "description": "Total number of times messages have been written to disk by this queue since it started.\n", + "name": "disk.writes.count", + "type": "long" + } + ], + "name": "queue", + "type": "group" + } + ], + "name": "rabbitmq", + "type": "group" + } + ], + "key": "rabbitmq", + "title": "RabbitMQ" + }, + { + "description": "Redis metrics collected from Redis.\n", + "fields": [ + { + "description": "`redis` contains the information and statistics from Redis.\n", + "fields": [ + { + "description": "`info` contains the information and statistics returned by the `INFO` command.\n", + "fields": [ + { + "description": "Redis client stats.\n", + "fields": [ + { + "description": "Number of client connections (excluding connections from slaves).\n", + "name": "connected", + "type": "long" + }, + { + "description": "Longest output list among current client connections.\n", + "name": "longest_output_list", + "type": "long" + }, + { + "description": "Biggest input buffer among current client connections.\n", + "name": "biggest_input_buf", + "type": "long" + }, + { + "description": "Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH).\n", + "name": "blocked", + "type": "long" + } + ], + "name": "clients", + "type": "group" + }, + { + "description": "Redis cluster information.\n", + "fields": [ + { + "description": "Indicates that the Redis cluster is enabled.\n", + "name": "enabled", + "type": "boolean" + } + ], + "name": "cluster", + "type": "group" + }, + { + "description": "Redis CPU stats\n", + "fields": [ + { + "description": "System CPU consumed by the Redis server.\n", + "name": "used.sys", + "type": "scaled_float" + }, + { + "description": "User CPU consumed by the Redis server.\n", + "name": "used.sys_children", + "type": "scaled_float" + }, + { + "description": "System CPU consumed by the background processes.\n", + "name": "used.user", + "type": "scaled_float" + }, + { + "description": "User CPU consumed by the background processes.\n", + "name": "used.user_children", + "type": "scaled_float" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Redis memory stats.\n", + "fields": [ + { + "description": "Used memory.\n", + "format": "bytes", + "name": "used.value", + "type": "long" + }, + { + "description": "Used memory rss.\n", + "format": "bytes", + "name": "used.rss", + "type": "long" + }, + { + "description": "Used memory peak.\n", + "format": "bytes", + "name": "used.peak", + "type": "long" + }, + { + "description": "Used memory lua.\n", + "format": "bytes", + "name": "used.lua", + "type": "long" + }, + { + "description": "Memory allocator.\n", + "name": "allocator", + "type": "keyword" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Redis CPU stats.\n", + "fields": [ + { + "description": null, + "name": "loading", + "type": "boolean" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "last_save.changes_since", + "type": "long" + }, + { + "description": null, + "name": "bgsave.in_progress", + "type": "boolean" + }, + { + "description": null, + "name": "last_save.time", + "type": "long" + }, + { + "description": null, + "name": "bgsave.last_status", + "type": "keyword" + }, + { + "description": null, + "name": "bgsave.last_time.sec", + "type": "long" + }, + { + "description": null, + "name": "bgsave.current_time.sec", + "type": "long" + } + ], + "name": "rdb", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "enabled", + "type": "boolean" + }, + { + "description": null, + "name": "rewrite.in_progress", + "type": "boolean" + }, + { + "description": null, + "name": "rewrite.scheduled", + "type": "boolean" + }, + { + "description": null, + "name": "rewrite.last_time.sec", + "type": "long" + }, + { + "description": null, + "name": "rewrite.current_time.sec", + "type": "long" + }, + { + "description": null, + "name": "bgrewrite.last_status", + "type": "keyword" + }, + { + "description": null, + "name": "write.last_status", + "type": "keyword" + } + ], + "name": "aof", + "type": "group" + } + ], + "name": "persistence", + "type": "group" + }, + { + "description": "Replication\n", + "fields": [ + { + "description": null, + "name": "role", + "type": "keyword" + }, + { + "description": null, + "name": "connected_slaves", + "type": "long" + }, + { + "description": null, + "name": "master_offset", + "type": "long" + }, + { + "description": null, + "name": "backlog.active", + "type": "long" + }, + { + "description": null, + "name": "backlog.size", + "type": "long" + }, + { + "description": null, + "name": "backlog.first_byte_offset", + "type": "long" + }, + { + "description": null, + "name": "backlog.histlen", + "type": "long" + } + ], + "name": "replication", + "type": "group" + }, + { + "description": "Server info\n", + "fields": [ + { + "description": null, + "name": "version", + "type": "keyword" + }, + { + "description": null, + "name": "git_sha1", + "type": "keyword" + }, + { + "description": null, + "name": "git_dirty", + "type": "keyword" + }, + { + "description": null, + "name": "build_id", + "type": "keyword" + }, + { + "description": null, + "name": "mode", + "type": "keyword" + }, + { + "description": null, + "name": "os", + "type": "keyword" + }, + { + "description": null, + "name": "arch_bits", + "type": "keyword" + }, + { + "description": null, + "name": "multiplexing_api", + "type": "keyword" + }, + { + "description": null, + "name": "gcc_version", + "type": "keyword" + }, + { + "description": null, + "name": "process_id", + "type": "long" + }, + { + "description": null, + "name": "run_id", + "type": "keyword" + }, + { + "description": null, + "name": "tcp_port", + "type": "long" + }, + { + "description": null, + "name": "uptime", + "type": "long" + }, + { + "description": null, + "name": "hz", + "type": "long" + }, + { + "description": null, + "name": "lru_clock", + "type": "long" + }, + { + "description": null, + "name": "config_file", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + }, + { + "description": "Redis stats.\n", + "fields": [ + { + "description": "Total number of connections received.", + "name": "connections.received", + "type": "long" + }, + { + "description": "Total number of connections rejected.", + "name": "connections.rejected", + "type": "long" + }, + { + "description": "Total number of commands processed.", + "name": "commands_processed", + "type": "long" + }, + { + "description": "Total network input in bytes.", + "name": "net.input.bytes", + "type": "long" + }, + { + "description": "Total network output in bytes.", + "name": "net.output.bytes", + "type": "long" + }, + { + "description": null, + "name": "instantaneous.ops_per_sec", + "type": "long" + }, + { + "description": null, + "name": "instantaneous.input_kbps", + "type": "scaled_float" + }, + { + "description": null, + "name": "instantaneous.output_kbps", + "type": "scaled_float" + }, + { + "description": null, + "name": "sync.full", + "type": "long" + }, + { + "description": null, + "name": "sync.partial.ok", + "type": "long" + }, + { + "description": null, + "name": "sync.partial.err", + "type": "long" + }, + { + "description": null, + "name": "keys.expired", + "type": "long" + }, + { + "description": null, + "name": "keys.evicted", + "type": "long" + }, + { + "description": null, + "name": "keyspace.hits", + "type": "long" + }, + { + "description": null, + "name": "keyspace.misses", + "type": "long" + }, + { + "description": null, + "name": "pubsub.channels", + "type": "long" + }, + { + "description": null, + "name": "pubsub.patterns", + "type": "long" + }, + { + "description": null, + "name": "latest_fork_usec", + "type": "long" + }, + { + "description": null, + "name": "migrate_cached_sockets", + "type": "long" + } + ], + "name": "stats", + "type": "group" + } + ], + "name": "info", + "type": "group" + }, + { + "description": "`keyspace` contains the information about the keyspaces returned by the `INFO` command.\n", + "fields": [ + { + "description": "Keyspace identifier.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Average ttl.\n", + "name": "avg_ttl", + "type": "long" + }, + { + "description": "Number of keys in the keyspace.\n", + "name": "keys", + "type": "long" + }, + { + "description": "", + "name": "expires", + "type": "long" + } + ], + "name": "keyspace", + "type": "group" + } + ], + "name": "redis", + "type": "group" + } + ], + "key": "redis", + "title": "Redis" + }, + { + "description": "System status metrics, like CPU and memory usage, that are collected from the operating system.\n", + "fields": [ + { + "description": "`system` contains local system metrics.\n", + "fields": [ + { + "description": "`system-core` contains CPU metrics for a single core of a multi-core system.\n", + "fields": [ + { + "description": "CPU Core number.\n", + "name": "id", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in user space.\n", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in kernel space.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent on low-priority processes.\n", + "name": "nice.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent idle.\n", + "name": "idle.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in wait (on disk).\n", + "name": "iowait.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent servicing and handling hardware interrupts.\n", + "name": "irq.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent servicing and handling software interrupts.\n", + "name": "softirq.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "name": "steal.ticks", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "`cpu` contains local CPU stats.\n", + "fields": [ + { + "description": "The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%.\n", + "name": "cores", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%.\n", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in non-idle state.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in user space.\n", + "format": "percent", + "name": "user.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in non-idle state.\n", + "format": "percent", + "name": "total.norm.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in kernel space.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent on low-priority processes.\n", + "name": "nice.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent idle.\n", + "name": "idle.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in wait (on disk).\n", + "name": "iowait.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent servicing and handling hardware interrupts.\n", + "name": "irq.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent servicing and handling software interrupts.\n", + "name": "softirq.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "name": "steal.ticks", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "`disk` contains disk IO metrics collected from the operating system.\n", + "fields": [ + { + "description": "The disk name.\n", + "example": "sda1", + "name": "name", + "type": "keyword" + }, + { + "description": "The disk's serial number. This may not be provided by all operating systems.\n", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "The total number of reads completed successfully.\n", + "name": "read.count", + "type": "long" + }, + { + "description": "The total number of writes completed successfully.\n", + "name": "write.count", + "type": "long" + }, + { + "description": "The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.\n", + "format": "bytes", + "name": "read.bytes", + "type": "long" + }, + { + "description": "The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.\n", + "format": "bytes", + "name": "write.bytes", + "type": "long" + }, + { + "description": "The total number of milliseconds spent by all reads.\n", + "name": "read.time", + "type": "long" + }, + { + "description": "The total number of milliseconds spent by all writes.\n", + "name": "write.time", + "type": "long" + }, + { + "description": "The total number of of milliseconds spent doing I/Os.\n", + "name": "io.time", + "type": "long" + }, + { + "description": "The number of read requests merged per second that were queued to the device.\n", + "name": "iostat.read.request.merges_per_sec", + "type": "float" + }, + { + "description": "The number of write requests merged per second that were queued to the device.\n", + "name": "iostat.write.request.merges_per_sec", + "type": "float" + }, + { + "description": "The number of read requests that were issued to the device per second\n", + "name": "iostat.read.request.per_sec", + "type": "float" + }, + { + "description": "The number of write requests that were issued to the device per second\n", + "name": "iostat.write.request.per_sec", + "type": "float" + }, + { + "description": "The number of Bytes read from the device per second.\n", + "format": "bytes", + "name": "iostat.read.per_sec.bytes", + "type": "float" + }, + { + "description": "The number of Bytes write from the device per second.\n", + "format": "bytes", + "name": "iostat.write.per_sec.bytes", + "type": "float" + }, + { + "description": "The average size (in sectors) of the requests that were issued to the device.\n", + "name": "iostat.request.avg_size", + "type": "float" + }, + { + "description": "The average queue length of the requests that were issued to the device.\n", + "name": "iostat.queue.avg_size", + "type": "float" + }, + { + "description": "The average queue length of the requests that were issued to the device.\n", + "name": "iostat.await", + "type": "float" + }, + { + "description": "The average service time (in milliseconds) for I/O requests that were issued to the device.\n", + "name": "iostat.service_time", + "type": "float" + }, + { + "description": "Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.\n", + "name": "iostat.busy", + "type": "float" + } + ], + "name": "diskio", + "type": "group" + }, + { + "description": "`filesystem` contains local filesystem stats.\n", + "fields": [ + { + "description": "The disk space available to an unprivileged user in bytes.\n", + "format": "bytes", + "name": "available", + "type": "long" + }, + { + "description": "The disk name. For example: `/dev/disk1`\n", + "name": "device_name", + "type": "keyword" + }, + { + "description": "The disk type. For example: `ext4`\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The mounting point. For example: `/`\n", + "name": "mount_point", + "type": "keyword" + }, + { + "description": "The total number of file nodes in the file system.\n", + "name": "files", + "type": "long" + }, + { + "description": "The disk space available in bytes.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The number of free file nodes in the file system.\n", + "name": "free_files", + "type": "long" + }, + { + "description": "The total disk space in bytes.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "The used disk space in bytes.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "The percentage of used disk space.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "filesystem", + "type": "group" + }, + { + "description": "`system.fsstat` contains filesystem metrics aggregated from all mounted filesystems, similar with what `df -a` prints out.\n", + "fields": [ + { + "description": "Number of file systems found.", + "name": "count", + "type": "long" + }, + { + "description": "Total number of files.", + "name": "total_files", + "type": "long" + }, + { + "description": "Nested file system docs.", + "fields": [ + { + "description": "Total free space.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "Total used space.\n", + "format": "bytes", + "name": "used", + "type": "long" + }, + { + "description": "Total space (used plus free).\n", + "format": "bytes", + "name": "total", + "type": "long" + } + ], + "format": "bytes", + "name": "total_size", + "type": "group" + } + ], + "name": "fsstat", + "type": "group" + }, + { + "description": "CPU load averages.\n", + "fields": [ + { + "description": "Load average for the last minute.\n", + "name": "1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 5 minutes.\n", + "name": "5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 15 minutes.\n", + "name": "15", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last minute divided by the number of cores.\n", + "name": "norm.1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last 5 minutes divided by the number of cores.\n", + "name": "norm.5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last 15 minutes divided by the number of cores.\n", + "name": "norm.15", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "The number of CPU cores present on the host.\n", + "name": "cores", + "type": "long" + } + ], + "name": "load", + "type": "group" + }, + { + "description": "`memory` contains local memory stats.\n", + "fields": [ + { + "description": "Total memory.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Used memory.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The percentage of used memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + }, + { + "description": "Actual memory used and free.\n", + "fields": [ + { + "description": "Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The percentage of actual used memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "actual", + "type": "group" + }, + { + "description": "This group contains statistics related to the swap memory usage on the system.", + "fields": [ + { + "description": "Total swap memory.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Used swap memory.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Available swap memory.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The percentage of used swap memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "swap", + "prefix": "[float]", + "type": "group" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "`network` contains network IO metrics for a single network interface.\n", + "fields": [ + { + "description": "The network interface name.\n", + "example": "eth0", + "name": "name", + "type": "keyword" + }, + { + "description": "The number of bytes sent.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "The number of bytes received.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "The number of packets sent.\n", + "name": "out.packets", + "type": "long" + }, + { + "description": "The number or packets received.\n", + "name": "in.packets", + "type": "long" + }, + { + "description": "The number of errors while receiving.\n", + "name": "in.errors", + "type": "long" + }, + { + "description": "The number of errors while sending.\n", + "name": "out.errors", + "type": "long" + }, + { + "description": "The number of incoming packets that were dropped.\n", + "name": "in.dropped", + "type": "long" + }, + { + "description": "The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.\n", + "name": "out.dropped", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "`process` contains process metadata, CPU metrics, and memory metrics.\n", + "fields": [ + { + "description": "The process name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The process state. For example: \"running\".\n", + "name": "state", + "type": "keyword" + }, + { + "description": "The process pid.\n", + "name": "pid", + "type": "long" + }, + { + "description": "The process parent pid.\n", + "name": "ppid", + "type": "long" + }, + { + "description": "The process group id.\n", + "name": "pgid", + "type": "long" + }, + { + "description": "The full command-line used to start the process, including the arguments separated by space.\n", + "name": "cmdline", + "type": "keyword" + }, + { + "description": "The username of the user that created the process. If the username cannot be determined, the field will contain the user's numeric identifier (UID). On Windows, this field includes the user's domain and is formatted as `domain\\username`.\n", + "name": "username", + "type": "keyword" + }, + { + "description": "The current working directory of the process. This field is only available on Linux.\n", + "name": "cwd", + "type": "keyword" + }, + { + "description": "The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.\n", + "name": "env", + "object_type": "keyword", + "type": "object" + }, + { + "description": "CPU-specific statistics per process.", + "fields": [ + { + "description": "The amount of CPU time the process spent in user space.\n", + "name": "user", + "type": "long" + }, + { + "description": "The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.\n", + "format": "percent", + "name": "total.norm.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time the process spent in kernel space.\n", + "name": "system", + "type": "long" + }, + { + "description": "The total CPU time spent by the process.\n", + "name": "total.ticks", + "type": "long" + }, + { + "description": "The time when the process was started.\n", + "name": "start_time", + "type": "date" + } + ], + "name": "cpu", + "prefix": "[float]", + "type": "group" + }, + { + "description": "Memory-specific statistics per process.", + "fields": [ + { + "description": "The total virtual memory the process has.\n", + "format": "bytes", + "name": "size", + "type": "long" + }, + { + "description": "The Resident Set Size. The amount of memory the process occupied in main memory (RAM).\n", + "format": "bytes", + "name": "rss.bytes", + "type": "long" + }, + { + "description": "The percentage of memory the process occupied in main memory (RAM).\n", + "format": "percent", + "name": "rss.pct", + "type": "scaled_float" + }, + { + "description": "The shared memory the process uses.\n", + "format": "bytes", + "name": "share", + "type": "long" + } + ], + "name": "memory", + "prefix": "[float]", + "type": "group" + }, + { + "description": "File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.\n", + "fields": [ + { + "description": "The number of file descriptors open by the process.", + "name": "open", + "type": "long" + }, + { + "description": "The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.\n", + "name": "limit.soft", + "type": "long" + }, + { + "description": "The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.\n", + "name": "limit.hard", + "type": "long" + } + ], + "name": "fd", + "prefix": "[float]", + "type": "group" + }, + { + "description": "Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.\n", + "fields": [ + { + "description": "The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period.\n", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated.\n", + "name": "cfs.period.us", + "type": "long" + }, + { + "description": "Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).\n", + "name": "cfs.quota.us", + "type": "long" + }, + { + "description": "An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.\n", + "name": "cfs.shares", + "type": "long" + }, + { + "description": "Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated.\n", + "name": "rt.period.us", + "type": "long" + }, + { + "description": "Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.\n", + "name": "rt.runtime.us", + "type": "long" + }, + { + "description": "Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.\n", + "name": "stats.periods", + "type": "long" + }, + { + "description": "Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).\n", + "name": "stats.throttled.periods", + "type": "long" + }, + { + "description": "The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.\n", + "name": "stats.throttled.ns", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "CPU accounting metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total CPU time in nanoseconds consumed by all tasks in the cgroup.\n", + "name": "total.ns", + "type": "long" + }, + { + "description": "CPU time consumed by tasks in user mode.", + "name": "stats.user.ns", + "type": "long" + }, + { + "description": "CPU time consumed by tasks in user (kernel) mode.", + "name": "stats.system.ns", + "type": "long" + }, + { + "description": "CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.\n", + "name": "percpu", + "object_type": "long", + "type": "object" + } + ], + "name": "cpuacct", + "type": "group" + }, + { + "description": "Memory limits and metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total memory usage by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "mem.usage.bytes", + "type": "long" + }, + { + "description": "The maximum memory used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "mem.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "mem.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (mem.limit.bytes) was reached.\n", + "name": "mem.failures", + "type": "long" + }, + { + "description": "The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "memsw.usage.bytes", + "type": "long" + }, + { + "description": "The maximum amount of memory and swap space used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "memsw.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "memsw.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.\n", + "name": "memsw.failures", + "type": "long" + }, + { + "description": "Total kernel memory usage by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem.usage.bytes", + "type": "long" + }, + { + "description": "The maximum kernel memory used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of kernel memory that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "kmem.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (kmem.limit.bytes) was reached.\n", + "name": "kmem.failures", + "type": "long" + }, + { + "description": "Total memory usage for TCP buffers in bytes.\n", + "format": "bytes", + "name": "kmem_tcp.usage.bytes", + "type": "long" + }, + { + "description": "The maximum memory used for TCP buffers by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem_tcp.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "kmem_tcp.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.\n", + "name": "kmem_tcp.failures", + "type": "long" + }, + { + "description": "Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.active_anon.bytes", + "type": "long" + }, + { + "description": "File-backed memory on active LRU list, in bytes.", + "format": "bytes", + "name": "stats.active_file.bytes", + "type": "long" + }, + { + "description": "Page cache, including tmpfs (shmem), in bytes.", + "format": "bytes", + "name": "stats.cache.bytes", + "type": "long" + }, + { + "description": "Memory limit for the hierarchy that contains the memory cgroup, in bytes.\n", + "format": "bytes", + "name": "stats.hierarchical_memory_limit.bytes", + "type": "long" + }, + { + "description": "Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.\n", + "format": "bytes", + "name": "stats.hierarchical_memsw_limit.bytes", + "type": "long" + }, + { + "description": "Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes\n", + "format": "bytes", + "name": "stats.inactive_anon.bytes", + "type": "long" + }, + { + "description": "File-backed memory on inactive LRU list, in bytes.\n", + "format": "bytes", + "name": "stats.inactive_file.bytes", + "type": "long" + }, + { + "description": "Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.mapped_file.bytes", + "type": "long" + }, + { + "description": "Number of times that a process in the cgroup triggered a page fault.\n", + "name": "stats.page_faults", + "type": "long" + }, + { + "description": "Number of times that a process in the cgroup triggered a major fault. \"Major\" faults happen when the kernel actually has to read the data from disk.\n", + "name": "stats.major_page_faults", + "type": "long" + }, + { + "description": "Number of pages paged into memory. This is a counter.\n", + "name": "stats.pages_in", + "type": "long" + }, + { + "description": "Number of pages paged out of memory. This is a counter.\n", + "name": "stats.pages_out", + "type": "long" + }, + { + "description": "Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.rss.bytes", + "type": "long" + }, + { + "description": "Number of bytes of anonymous transparent hugepages.\n", + "format": "bytes", + "name": "stats.rss_huge.bytes", + "type": "long" + }, + { + "description": "Swap usage, in bytes.\n", + "format": "bytes", + "name": "stats.swap.bytes", + "type": "long" + }, + { + "description": "Memory that cannot be reclaimed, in bytes.\n", + "format": "bytes", + "name": "stats.unevictable.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Block IO metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystems mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total number of bytes transferred to and from all block devices by processes in the cgroup.\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.\n", + "name": "total.ios", + "type": "long" + } + ], + "name": "blkio", + "type": "group" + } + ], + "name": "cgroup", + "type": "group" + } + ], + "name": "process", + "type": "group" + }, + { + "description": "Summary metrics for the processes running on the host.\n", + "fields": [ + { + "description": "Total number of processes on this host.\n", + "name": "total", + "type": "long" + }, + { + "description": "Number of running processes on this host.\n", + "name": "running", + "type": "long" + }, + { + "description": "Number of idle processes on this host.\n", + "name": "idle", + "type": "long" + }, + { + "description": "Number of sleeping processes on this host.\n", + "name": "sleeping", + "type": "long" + }, + { + "description": "Number of stopped processes on this host.\n", + "name": "stopped", + "type": "long" + }, + { + "description": "Number of zombie processes on this host.\n", + "name": "zombie", + "type": "long" + }, + { + "description": "Number of processes for which the state couldn't be retrieved or is unknown.\n", + "name": "unknown", + "type": "long" + } + ], + "name": "process.summary", + "title": "Process Summary", + "type": "group" + }, + { + "description": "TCP sockets that are active.\n", + "fields": [ + { + "description": "How the socket was initiated. Possible values are incoming, outgoing, or listening.\n", + "example": "incoming", + "name": "direction", + "type": "keyword" + }, + { + "description": "Address family.\n", + "example": "ipv4", + "name": "family", + "type": "keyword" + }, + { + "description": "Local IP address. This can be an IPv4 or IPv6 address.\n", + "example": "192.0.2.1 or 2001:0DB8:ABED:8536::1", + "name": "local.ip", + "type": "ip" + }, + { + "description": "Local port.\n", + "example": 22, + "name": "local.port", + "type": "long" + }, + { + "description": "Remote IP address. This can be an IPv4 or IPv6 address.\n", + "example": "192.0.2.1 or 2001:0DB8:ABED:8536::1", + "name": "remote.ip", + "type": "ip" + }, + { + "description": "Remote port.\n", + "example": 22, + "name": "remote.port", + "type": "long" + }, + { + "description": "PTR record associated with the remote IP. It is obtained via reverse IP lookup.\n", + "example": "76-211-117-36.nw.example.com.", + "name": "remote.host", + "type": "keyword" + }, + { + "description": "The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for \"foo.bar.golang.org.\" is \"golang.org.\". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.\n", + "example": "example.com.", + "name": "remote.etld_plus_one", + "type": "keyword" + }, + { + "description": "Error describing the cause of the reverse lookup failure.\n", + "name": "remote.host_error", + "type": "keyword" + }, + { + "description": "ID of the process that opened the socket.\n", + "name": "process.pid", + "type": "long" + }, + { + "description": "Name of the command (limited to 20 chars by the OS).\n", + "name": "process.command", + "type": "keyword" + }, + { + "description": "", + "name": "process.cmdline", + "type": "keyword" + }, + { + "description": "Absolute path to the executable.\n", + "name": "process.exe", + "type": "keyword" + }, + { + "description": "UID of the user running the process.\n", + "name": "user.id", + "type": "long" + }, + { + "description": "Name of the user running the process.\n", + "name": "user.name", + "type": "keyword" + } + ], + "name": "socket", + "type": "group" + }, + { + "description": "`uptime` contains the operating system uptime metric.\n", + "fields": [ + { + "description": "The OS uptime in milliseconds.\n", + "format": "duration", + "input_format": "milliseconds", + "name": "duration.ms", + "type": "long" + } + ], + "name": "uptime", + "type": "group" + } + ], + "name": "system", + "type": "group" + } + ], + "key": "system", + "short_config": true, + "title": "System" + }, + { + "description": "vSphere module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "datastore\n", + "fields": [ + { + "description": "Datacenter name\n", + "name": "datacenter", + "type": "keyword" + }, + { + "description": "Datastore name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Filesystem type\n", + "name": "fstype", + "type": "keyword" + }, + { + "description": "Total bytes of the datastore\n", + "format": "bytes", + "name": "capacity.total.bytes", + "type": "long" + }, + { + "description": "Free bytes of the datastore\n", + "format": "bytes", + "name": "capacity.free.bytes", + "type": "long" + }, + { + "description": "Used bytes of the datastore\n", + "format": "bytes", + "name": "capacity.used.bytes", + "type": "long" + }, + { + "description": "Used percent of the datastore\n", + "format": "percent", + "name": "capacity.used.pct", + "type": "long" + } + ], + "name": "datastore", + "type": "group" + }, + { + "description": "host\n", + "fields": [ + { + "description": "Datacenter name\n", + "name": "datacenter", + "type": "keyword" + }, + { + "description": "Host name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Used CPU in Mhz\n", + "name": "cpu.used.mhz", + "type": "long" + }, + { + "description": "Total CPU in Mhz\n", + "name": "cpu.total.mhz", + "type": "long" + }, + { + "description": "Free CPU in Mhz\n", + "name": "cpu.free.mhz", + "type": "long" + }, + { + "description": "Used Memory in bytes\n", + "format": "bytes", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Total Memory in bytes\n", + "format": "bytes", + "name": "memory.total.bytes", + "type": "long" + }, + { + "description": "Free Memory in bytes\n", + "format": "bytes", + "name": "memory.free.bytes", + "type": "long" + } + ], + "name": "host", + "type": "group" + }, + { + "description": "virtualmachine\n", + "fields": [ + { + "description": "Datacenter name\n", + "name": "datacenter", + "type": "keyword" + }, + { + "description": "Virtual Machine name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Used CPU in Mhz\n", + "name": "cpu.used.mhz", + "type": "long" + }, + { + "description": "Used Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.used.guest.bytes", + "type": "long" + }, + { + "description": "Used Memory of Host in bytes\n", + "format": "bytes", + "name": "memory.used.host.bytes", + "type": "long" + }, + { + "description": "Total Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.total.guest.bytes", + "type": "long" + }, + { + "description": "Free Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.free.guest.bytes", + "type": "long" + }, + { + "description": "Custom fields\n", + "name": "custom_fields", + "object_type": "keyword", + "type": "object" + } + ], + "name": "virtualmachine", + "type": "group" + } + ], + "name": "vsphere", + "type": "group" + } + ], + "key": "vsphere", + "title": "vSphere" + }, + { + "description": "beta[] Module for Windows\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "windows", + "type": "group" + } + ], + "key": "windows", + "short_config": false, + "title": "Windows" + }, + { + "description": "ZooKeeper metrics collected by the four-letter monitoring commands.\n", + "fields": [ + { + "description": "`zookeeper` contains the metrics reported by ZooKeeper commands.\n", + "fields": [ + { + "description": "`mntr` contains the metrics reported by the four-letter `mntr` command.\n", + "fields": [ + { + "description": "ZooKeeper hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Approximate size of ZooKeeper data.\n", + "name": "approximate_data_size", + "type": "long" + }, + { + "description": "Average latency between ensemble hosts in milliseconds.\n", + "name": "latency.avg", + "type": "long" + }, + { + "description": "Number of ephemeral znodes.\n", + "name": "ephemerals_count", + "type": "long" + }, + { + "description": "Number of followers seen by the current host.\n", + "name": "followers", + "type": "long" + }, + { + "description": "Maximum number of file descriptors allowed for the ZooKeeper process.\n", + "name": "max_file_descriptor_count", + "type": "long" + }, + { + "description": "Maximum latency in milliseconds.\n", + "name": "latency.max", + "type": "long" + }, + { + "description": "Minimum latency in milliseconds.\n", + "name": "latency.min", + "type": "long" + }, + { + "description": "Number of connections to ZooKeeper that are currently alive.\n", + "name": "num_alive_connections", + "type": "long" + }, + { + "description": "Number of file descriptors open by the ZooKeeper process.\n", + "name": "open_file_descriptor_count", + "type": "long" + }, + { + "description": "Number of outstanding requests that need to be processed by the cluster.\n", + "name": "outstanding_requests", + "type": "long" + }, + { + "description": "Number of ZooKeeper network packets received.\n", + "name": "packets.received", + "type": "long" + }, + { + "description": "Number of ZooKeeper network packets sent.\n", + "name": "packets.sent", + "type": "long" + }, + { + "description": "Number of pending syncs to carry out to ZooKeeper ensemble followers.\n", + "name": "pending_syncs", + "type": "long" + }, + { + "description": "Role in the ZooKeeper ensemble.\n", + "name": "server_state", + "type": "keyword" + }, + { + "description": "Number of synced followers reported when a node server_state is leader.\n", + "name": "synced_followers", + "type": "long" + }, + { + "description": "ZooKeeper version and build string reported.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Number of watches currently set on the local ZooKeeper process.\n", + "name": "watch_count", + "type": "long" + }, + { + "description": "Number of znodes reported by the local ZooKeeper process.\n", + "name": "znode_count", + "type": "long" + } + ], + "name": "mntr", + "type": "group" + } + ], + "name": "zookeeper", + "type": "group" + } + ], + "key": "zookeeper", + "short_config": false, + "title": "ZooKeeper" + } + ] + } + } + } + } + } + }, + "processors": { + "folders": { + "add_cloud_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Metadata from cloud providers added by the add_cloud_metadata processor.\n", + "fields": [ + { + "description": "Name of the project in Google Cloud.\n", + "example": "project-x", + "name": "cloud.project.id" + }, + { + "description": "Image ID for the cloud instance.\n", + "example": "ami-abcd1234", + "name": "cloud.image.id" + }, + { + "migration": true, + "name": "meta.cloud.provider", + "path": "cloud.provider", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.instance_id", + "path": "cloud.instance.id", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.instance_name", + "path": "cloud.instance.name", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.machine_type", + "path": "cloud.machine.type", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.availability_zone", + "path": "cloud.availability_zone", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.project_id", + "path": "cloud.project.id", + "type": "alias" + }, + { + "migration": true, + "name": "meta.cloud.region", + "path": "cloud.region", + "type": "alias" + } + ], + "key": "cloud", + "title": "Cloud provider metadata" + } + ] + } + } + } + }, + "add_cloudfoundry_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "anchor": "cloudfoundry-processor", + "description": "Cloud Foundry information collected from Cloud Foundry.\n", + "fields": [ + { + "fields": [ + { + "description": "Cloud Foundry application ID\n", + "name": "app.id", + "type": "keyword" + }, + { + "description": "Cloud Foundry application name\n", + "name": "app.name", + "type": "keyword" + }, + { + "description": "Cloud Foundry space name\n", + "name": "space.id", + "type": "keyword" + }, + { + "description": "Cloud Foundry space name\n", + "name": "space.name", + "type": "keyword" + }, + { + "description": "Cloud Foundry organization ID\n", + "name": "org.id", + "type": "keyword" + }, + { + "description": "Cloud Foundry organization name\n", + "name": "org.name", + "type": "keyword" + } + ], + "name": "cloudfoundry", + "type": "group" + } + ], + "key": "cloudfoundry", + "short_config": false, + "title": "Cloud Foundry" + } + ] + } + } + } + }, + "add_docker_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "anchor": "docker-processor", + "description": "Docker stats collected from Docker.\n", + "fields": [ + { + "fields": [ + { + "migration": true, + "name": "container.id", + "path": "container.id", + "type": "alias" + }, + { + "migration": true, + "name": "container.image", + "path": "container.image.name", + "type": "alias" + }, + { + "migration": true, + "name": "container.name", + "path": "container.name", + "type": "alias" + }, + { + "description": "Image labels.\n", + "name": "container.labels", + "object_type": "keyword", + "type": "object" + } + ], + "name": "docker", + "type": "group" + } + ], + "key": "docker", + "short_config": false, + "title": "Docker" + } + ] + } + } + } + }, + "add_host_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "anchor": "host-processor", + "description": "Info collected for the host machine.\n", + "fields": [ + { + "fields": [ + { + "description": "If the host is a container.\n", + "name": "containerized", + "type": "boolean" + }, + { + "description": "OS build information.\n", + "example": "18D109", + "name": "os.build", + "type": "keyword" + }, + { + "description": "OS codename, if any.\n", + "example": "stretch", + "name": "os.codename", + "type": "keyword" + } + ], + "name": "host", + "type": "group" + } + ], + "key": "host", + "title": "Host" + } + ] + } + } + } + }, + "add_kubernetes_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "anchor": "kubernetes-processor", + "description": "Kubernetes metadata added by the kubernetes processor\n", + "fields": [ + { + "fields": [ + { + "description": "Kubernetes pod name\n", + "name": "pod.name", + "type": "keyword" + }, + { + "description": "Kubernetes Pod UID\n", + "name": "pod.uid", + "type": "keyword" + }, + { + "description": "Kubernetes namespace\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "Kubernetes node name\n", + "name": "node.name", + "type": "keyword" + }, + { + "description": "Kubernetes labels map\n", + "name": "labels.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Kubernetes annotations map\n", + "name": "annotations.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Kubernetes replicaset name\n", + "name": "replicaset.name", + "type": "keyword" + }, + { + "description": "Kubernetes deployment name\n", + "name": "deployment.name", + "type": "keyword" + }, + { + "description": "Kubernetes statefulset name\n", + "name": "statefulset.name", + "type": "keyword" + }, + { + "description": "Kubernetes container name\n", + "name": "container.name", + "type": "keyword" + }, + { + "description": "Kubernetes container image\n", + "name": "container.image", + "type": "keyword" + } + ], + "name": "kubernetes", + "type": "group" + } + ], + "key": "kubernetes", + "short_config": false, + "title": "Kubernetes" + } + ] + } + } + } + }, + "add_process_metadata": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Process metadata fields\n", + "fields": [ + { + "fields": [ + { + "migration": true, + "name": "exe", + "path": "process.executable", + "type": "alias" + } + ], + "name": "process", + "type": "group" + } + ], + "key": "process", + "title": "Process" + } + ] + } + } + } + } + } + }, + "scripts": { + "folders": { + "cmd": { + "folders": { + "global_fields": { + "folders": { + "testdata": { + "folders": { + "module": { + "folders": { + "module1": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + }, + "set1": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + } + } + }, + "set2": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + } + } + } + } + }, + "module2": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + }, + "set1": { + "folders": { + "_meta": { + "files": { + "fields.yml": null + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + }, + "template": { + "folders": { + "testdata": { + "files": { + "fields.yml": [ + { + "description": "Contains all types for testing\n", + "fields": [ + { + "name": "object", + "type": "object" + }, + { + "name": "array", + "type": "array" + }, + { + "name": "keyword", + "type": "keyword" + }, + { + "enabled": false, + "name": "object_disabled", + "type": "object" + }, + { + "enabled": false, + "name": "array_disabled", + "type": "array" + }, + { + "name": "alias", + "path": "keyword", + "type": "alias" + }, + { + "migration": true, + "name": "migration_alias_true", + "path": "keyword", + "type": "alias" + }, + { + "migration": false, + "name": "migration_alias_false", + "path": "keyword", + "type": "alias" + } + ], + "key": "test", + "title": "Test fields.yml" + } + ] + } + } + } + }, + "tests": { + "folders": { + "files": { + "files": { + "config.yml": { + "env": { + "default": "${NON_EXISTENT:default}", + "test_key": "${TEST_KEY}" + }, + "output": { + "elasticsearch": { + "enabled": true, + "host": "localhost", + "port": 9200 + } + } + } + } + } + } + } + } + }, + "metricbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "Contains common fields available in all event types.\n", + "fields": [ + { + "description": "The name of the module that generated the event.\n", + "migration": true, + "name": "metricset.module", + "path": "event.module", + "type": "alias" + }, + { + "description": "The name of the metricset that generated the event.\n", + "name": "metricset.name" + }, + { + "description": "Current data collection period for this event in milliseconds.\n", + "name": "metricset.period", + "type": "integer" + }, + { + "description": "Address of the machine where the service is running. This field may not be present when the data was collected locally.\n", + "name": "service.address" + }, + { + "description": "Host name of the machine where the service is running.\n", + "name": "service.hostname" + }, + { + "description": "The document type. Always set to \"doc\".\n", + "example": "metricsets", + "name": "type", + "required": true + }, + { + "description": "the location of the systemd unit path", + "name": "systemd.fragment_path", + "type": "keyword" + }, + { + "description": "the unit name of the systemd service", + "name": "systemd.unit", + "type": "keyword" + } + ], + "key": "common", + "title": "Common" + } + ] + } + }, + "module": { + "folders": { + "activemq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8161" + ], + "metricsets": [ + "broker", + "queue", + "topic" + ], + "module": "activemq", + "password": "admin", + "path": "/api/jolokia/?ignoreErrors=true&canonicalNaming=false", + "period": "10s", + "username": "admin" + } + ], + "fields.yml": [ + { + "description": "activemq module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "activemq", + "type": "group" + } + ], + "key": "activemq", + "release": "ga", + "title": "ActiveMQ" + } + ] + } + }, + "broker": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Broker metrics from org.apache.activemq:brokerName=*,type=Broker", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "Broker name", + "name": "name", + "type": "keyword" + }, + { + "description": "The percentage of the memory limit used.", + "format": "percent", + "name": "memory.broker.pct", + "type": "scaled_float" + }, + { + "description": "Percent of store limit used.", + "format": "percent", + "name": "memory.store.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of the temp usage limit used.", + "format": "percent", + "name": "memory.temp.pct", + "type": "scaled_float" + }, + { + "description": "Total number of connections.", + "name": "connections.count", + "type": "long" + }, + { + "description": "Number of message consumers.", + "name": "consumers.count", + "type": "long" + }, + { + "description": "Number of messages that have been acknowledged on the broker.", + "name": "messages.dequeue.count", + "type": "long" + }, + { + "description": "Number of messages that have been sent to the destination.", + "name": "messages.enqueue.count", + "type": "long" + }, + { + "description": "Number of unacknowledged messages on the broker.", + "name": "messages.count", + "type": "long" + }, + { + "description": "Number of message producers active on destinations on the broker.", + "name": "producers.count", + "type": "long" + } + ], + "name": "broker", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "queue": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Queue metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Queue,type=Broker", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "Queue name", + "name": "name", + "type": "keyword" + }, + { + "description": "Queue size", + "name": "size", + "type": "long" + }, + { + "description": "Average time a message was held on this destination.", + "name": "messages.enqueue.time.avg", + "type": "double" + }, + { + "description": "Average message size on this destination.", + "name": "messages.size.avg", + "type": "long" + }, + { + "description": "Number of consumers subscribed to this destination.", + "name": "consumers.count", + "type": "long" + }, + { + "description": "Number of messages that has been acknowledged (and removed) from the destination.", + "name": "messages.dequeue.count", + "type": "long" + }, + { + "description": "Number of messages that has been delivered to consumers, including those not acknowledged.", + "name": "messages.dispatch.count", + "type": "long" + }, + { + "description": "Number of messages that have been sent to the destination.", + "name": "messages.enqueue.count", + "type": "long" + }, + { + "description": "Number of messages that have been expired.", + "name": "messages.expired.count", + "type": "long" + }, + { + "description": "Number of messages that have been dispatched to, but not acknowledged by, consumers.", + "name": "messages.inflight.count", + "type": "long" + }, + { + "description": "The longest time a message was held on this destination.", + "name": "messages.enqueue.time.max", + "type": "long" + }, + { + "description": "Percent of memory limit used.", + "format": "percent", + "name": "memory.broker.pct", + "type": "scaled_float" + }, + { + "description": "The shortest time a message was held on this destination.", + "name": "messages.enqueue.time.min", + "type": "long" + }, + { + "description": "Number of producers attached to this destination.", + "name": "producers.count", + "type": "long" + } + ], + "name": "queue", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "topic": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Topic metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Topic,type=Broker", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "Topic name", + "name": "name", + "type": "keyword" + }, + { + "description": "Average time a message was held on this destination.", + "name": "messages.enqueue.time.avg", + "type": "double" + }, + { + "description": "Average message size on this destination.", + "name": "messages.size.avg", + "type": "long" + }, + { + "description": "Number of consumers subscribed to this destination.", + "name": "consumers.count", + "type": "long" + }, + { + "description": "Number of messages that has been acknowledged (and removed) from the destination.", + "name": "messages.dequeue.count", + "type": "long" + }, + { + "description": "Number of messages that has been delivered to consumers, including those not acknowledged.", + "name": "messages.dispatch.count", + "type": "long" + }, + { + "description": "Number of messages that have been sent to the destination.", + "name": "messages.enqueue.count", + "type": "long" + }, + { + "description": "Number of messages that have been expired.", + "name": "messages.expired.count", + "type": "long" + }, + { + "description": "Number of messages that have been dispatched to, but not acknowledged by, consumers.", + "name": "messages.inflight.count", + "type": "long" + }, + { + "description": "The longest time a message was held on this destination.", + "name": "messages.enqueue.time.max", + "type": "long" + }, + { + "description": "Percent of memory limit used.", + "format": "percent", + "name": "memory.broker.pct", + "type": "scaled_float" + }, + { + "description": "The shortest time a message was held on this destination.", + "name": "messages.enqueue.time.min", + "type": "long" + }, + { + "description": "Number of producers attached to this destination.", + "name": "producers.count", + "type": "long" + } + ], + "name": "topic", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "aerospike": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:3000" + ], + "module": "aerospike", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Aerospike module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "aerospike", + "type": "group" + } + ], + "key": "aerospike", + "release": "ga", + "title": "Aerospike" + } + ] + } + }, + "namespace": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "namespace\n", + "fields": [ + { + "description": "Client stats.\n", + "fields": [ + { + "description": "Client delete transactions stats.\n", + "fields": [ + { + "description": "Number of client delete transactions that failed with an error.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of client delete transactions that resulted in a not found.\n", + "name": "not_found", + "type": "long" + }, + { + "description": "Number of successful client delete transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client delete transactions that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "delete", + "type": "group" + }, + { + "description": "Client read transactions stats.\n", + "fields": [ + { + "description": "Number of client read transaction errors.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of client read transaction that resulted in not found.\n", + "name": "not_found", + "type": "long" + }, + { + "description": "Number of successful client read transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client read transaction that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "description": "Client write transactions stats.\n", + "fields": [ + { + "description": "Number of client write transactions that failed with an error.\n", + "name": "error", + "type": "long" + }, + { + "description": "Number of successful client write transactions.\n", + "name": "success", + "type": "long" + }, + { + "description": "Number of client write transactions that timed out.\n", + "name": "timeout", + "type": "long" + } + ], + "name": "write", + "type": "group" + } + ], + "name": "client", + "type": "group" + }, + { + "description": "Disk storage stats\n", + "fields": [ + { + "description": "Measures the minimum contiguous disk space across all disks in a namespace.\n", + "format": "percent", + "name": "available.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of disk capacity free for this namespace.\n", + "format": "percent", + "name": "free.pct", + "type": "scaled_float" + }, + { + "description": "Total bytes of disk space allocated to this namespace on this node.\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Total bytes of disk space used by this namespace on this node.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "device", + "type": "group" + }, + { + "description": "If true, Aerospike has breached 'high-water-[disk|memory]-pct' for this namespace.\n", + "name": "hwm_breached", + "type": "boolean" + }, + { + "description": "Memory storage stats.\n", + "fields": [ + { + "description": "Percentage of memory capacity free for this namespace on this node.\n", + "format": "percent", + "name": "free.pct", + "type": "scaled_float" + }, + { + "description": "Amount of memory occupied by data for this namespace on this node.\n", + "format": "bytes", + "name": "used.data.bytes", + "type": "long" + }, + { + "description": "Amount of memory occupied by the index for this namespace on this node.\n", + "format": "bytes", + "name": "used.index.bytes", + "type": "long" + }, + { + "description": "Amount of memory occupied by secondary indexes for this namespace on this node.\n", + "format": "bytes", + "name": "used.sindex.bytes", + "type": "long" + }, + { + "description": "Total bytes of memory used by this namespace on this node.\n", + "format": "bytes", + "name": "used.total.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Namespace name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Node host\n", + "name": "node.host", + "type": "keyword" + }, + { + "description": "Node name\n", + "name": "node.name", + "type": "keyword" + }, + { + "description": "Records stats.\n", + "fields": [ + { + "description": "Number of records on this node which are active masters.\n", + "name": "master", + "type": "long" + }, + { + "description": "Number of records in this namespace for this node.\n", + "name": "total", + "type": "long" + } + ], + "name": "objects", + "type": "group" + }, + { + "description": "If true this namespace is currently not allowing writes.\n", + "name": "stop_writes", + "type": "boolean" + } + ], + "name": "namespace", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "apache": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "http://127.0.0.1" + ], + "module": "apache", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Apache HTTPD server metricsets collected from the Apache web server.\n", + "fields": [ + { + "description": "`apache` contains the metrics that were scraped from Apache.\n", + "fields": null, + "name": "apache", + "type": "group" + } + ], + "key": "apache", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Apache" + } + ] + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`status` contains the metrics that were scraped from the Apache status page.\n", + "fields": [ + { + "description": "Apache hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Total number of access requests.\n", + "name": "total_accesses", + "type": "long" + }, + { + "description": "Total number of kilobytes served.\n", + "name": "total_kbytes", + "type": "long" + }, + { + "description": "Requests per second.\n", + "name": "requests_per_sec", + "type": "scaled_float" + }, + { + "description": "Bytes per second.\n", + "name": "bytes_per_sec", + "type": "scaled_float" + }, + { + "description": "Bytes per request.\n", + "name": "bytes_per_request", + "type": "scaled_float" + }, + { + "description": "Number of busy workers.\n", + "name": "workers.busy", + "type": "long" + }, + { + "description": "Number of idle workers.\n", + "name": "workers.idle", + "type": "long" + }, + { + "description": "Uptime stats.\n", + "fields": [ + { + "description": "Server uptime in seconds.\n", + "name": "server_uptime", + "type": "long" + }, + { + "description": "Server uptime.\n", + "name": "uptime", + "type": "long" + } + ], + "name": "uptime", + "type": "group" + }, + { + "description": "CPU stats.\n", + "fields": [ + { + "description": "CPU Load.\n", + "name": "load", + "type": "scaled_float" + }, + { + "description": "CPU user load.\n", + "name": "user", + "type": "scaled_float" + }, + { + "description": "System cpu.\n", + "name": "system", + "type": "scaled_float" + }, + { + "description": "CPU of children user.\n", + "name": "children_user", + "type": "scaled_float" + }, + { + "description": "CPU of children system.\n", + "name": "children_system", + "type": "scaled_float" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Connection stats.\n", + "fields": [ + { + "description": "Total connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Async connection writing.\n", + "name": "async.writing", + "type": "long" + }, + { + "description": "Async keeped alive connections.\n", + "name": "async.keep_alive", + "type": "long" + }, + { + "description": "Async closed connections.\n", + "name": "async.closing", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Load averages.\n", + "fields": [ + { + "description": "Load average for the last minute.\n", + "name": "1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 5 minutes.\n", + "name": "5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 15 minutes.\n", + "name": "15", + "scaling_factor": 100, + "type": "scaled_float" + } + ], + "name": "load", + "type": "group" + }, + { + "description": "Scoreboard metrics.\n", + "fields": [ + { + "description": "Starting up.\n", + "name": "starting_up", + "type": "long" + }, + { + "description": "Reading requests.\n", + "name": "reading_request", + "type": "long" + }, + { + "description": "Sending Reply.\n", + "name": "sending_reply", + "type": "long" + }, + { + "description": "Keep alive.\n", + "name": "keepalive", + "type": "long" + }, + { + "description": "Dns Lookups.\n", + "name": "dns_lookup", + "type": "long" + }, + { + "description": "Closing connections.\n", + "name": "closing_connection", + "type": "long" + }, + { + "description": "Logging\n", + "name": "logging", + "type": "long" + }, + { + "description": "Gracefully finishing.\n", + "name": "gracefully_finishing", + "type": "long" + }, + { + "description": "Idle cleanups.\n", + "name": "idle_cleanup", + "type": "long" + }, + { + "description": "Open slots.\n", + "name": "open_slot", + "type": "long" + }, + { + "description": "Waiting for connections.\n", + "name": "waiting_for_connection", + "type": "long" + }, + { + "description": "Total.\n", + "name": "total", + "type": "long" + } + ], + "name": "scoreboard", + "type": "group" + } + ], + "name": "status", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "apache.status.hostname" + ], + "suffix": "plain", + "type": "http", + "url": "/server-status?auto=" + } + } + } + } + } + } + } + } + }, + "appsearch": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": true, + "hosts": [ + "http://localhost:3002" + ], + "metricsets": [ + "stats" + ], + "module": "appsearch", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "App Search module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "appsearch", + "type": "group" + } + ], + "key": "appsearch", + "release": "beta", + "title": "App Search" + } + ] + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "App Search stats\n", + "fields": [ + { + "description": "JVM stats\n", + "fields": [ + { + "description": "Memory usage\n", + "fields": [ + { + "description": "Heap init used by the JVM in bytes.\n", + "name": "heap_init.bytes", + "type": "long" + }, + { + "description": "Heap used by the JVM in bytes.\n", + "name": "heap_used.bytes", + "type": "long" + }, + { + "description": "Committed heap to the JVM in bytes.\n", + "name": "heap_committed.bytes", + "type": "long" + }, + { + "description": "Max heap used by the JVM in bytes\n", + "name": "heap_max.bytes", + "type": "long" + }, + { + "description": "Non-Heap initial memory used by the JVM in bytes.\n", + "name": "non_heap_init.bytes", + "type": "long" + }, + { + "description": "Non-Heap committed memory used by the JVM in bytes.\n", + "name": "non_heap_committed.bytes", + "type": "long" + } + ], + "name": "memory_usage", + "type": "group" + } + ], + "name": "jvm", + "type": "group" + }, + { + "description": "Worker queues\n", + "fields": [ + { + "description": "Number of pending jobs in the `analytics_events` queue.\n", + "name": "analytics_events.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `document_destroyer` queue.\n", + "name": "document_destroyer.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `engine_destroyer` queue.\n", + "name": "engine_destroyer.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `index_adder` queue.\n", + "name": "index_adder.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `indexed_doc_remover` queue.\n", + "name": "indexed_doc_remover.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `mailer` queue.\n", + "name": "mailer.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `refresh_document_counts` queue.\n", + "name": "refresh_document_counts.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `reindexer` queue.\n", + "name": "reindexer.count", + "type": "long" + }, + { + "description": "Number of pending jobs in the `schema_updater` queue.\n", + "name": "schema_updater.count", + "type": "long" + }, + { + "description": "Number of failed jobs waiting to be retried.\n", + "name": "failed.count", + "type": "long" + } + ], + "name": "queues", + "type": "group" + }, + { + "description": "Request metrics\n", + "fields": [ + { + "description": "Number of recently completed requests\n", + "name": "count", + "type": "long" + }, + { + "description": "API response time metrics\n", + "fields": [ + { + "description": "Average response time in milliseconds\n", + "name": "avg.ms", + "type": "long" + }, + { + "description": "Max response time in milliseconds\n", + "name": "max.ms", + "type": "long" + } + ], + "name": "api.duration", + "type": "group" + }, + { + "description": "Dashboard response time metrics\n", + "fields": [ + { + "description": "Average response time in milliseconds\n", + "name": "avg.ms", + "type": "long" + }, + { + "description": "Max response time in milliseconds\n", + "name": "max.ms", + "type": "long" + } + ], + "name": "web.response_time", + "type": "group" + } + ], + "name": "requests", + "type": "group" + } + ], + "name": "stats", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "aws": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "metricsets": [ + "elb", + "natgateway", + "rds", + "transitgateway", + "usage", + "vpn" + ], + "module": "aws", + "period": "1m" + }, + { + "metrics": [ + { + "namespace": "AWS/EC2", + "resource_type": "ec2:instance" + } + ], + "metricsets": [ + "cloudwatch" + ], + "module": "aws", + "period": "5m" + }, + { + "metricsets": [ + "dynamodb", + "ebs", + "ec2", + "lambda", + "rds", + "sns", + "sqs" + ], + "module": "aws", + "period": "5m" + }, + { + "metricsets": [ + "billing" + ], + "module": "aws", + "period": "12h", + "regions": [ + "us-east-1" + ] + }, + { + "metricsets": [ + "s3_daily_storage", + "s3_request" + ], + "module": "aws", + "period": "24h" + } + ], + "fields.yml": [ + { + "description": "`aws` module collects AWS monitoring metrics from AWS Cloudwatch.\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Tag key value pairs from aws resources.\n", + "name": "tags.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Name of a S3 bucket.\n", + "name": "s3.bucket.name", + "type": "keyword" + }, + { + "description": "Metric dimensions.\n", + "name": "dimensions.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Metrics that returned from Cloudwatch API query.\n", + "name": "*.metrics.*.*", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "aws", + "type": "group" + } + ], + "key": "aws", + "release": "ga", + "title": "AWS" + } + ] + } + }, + "billing": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`billing` contains the estimated charges for your AWS account in Cloudwatch.\n", + "fields": [ + { + "fields": [ + { + "description": "Maximum estimated charges for AWS acccount.", + "name": "EstimatedCharges.max", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "billing", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "cloudwatch": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`cloudwatch` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by different namespaces.\n", + "fields": [ + { + "description": "The namespace specified when query cloudwatch api.", + "name": "namespace", + "type": "keyword" + } + ], + "name": "cloudwatch", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "dynamodb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`dynamodb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS DynamoDB.\n", + "fields": [ + { + "fields": [ + { + "description": "The average latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.\n", + "name": "SuccessfulRequestLatency.avg", + "type": "double" + }, + { + "description": "The maximum latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.\n", + "name": "SuccessfulRequestLatency.max", + "type": "double" + }, + { + "description": "The percentage of completion when a new global secondary index is being added to a table.\n", + "name": "OnlineIndexPercentageProgress.avg", + "type": "double" + }, + { + "description": "The number of provisioned write capacity units for a table or a global secondary index.\n", + "name": "ProvisionedWriteCapacityUnits.avg", + "type": "double" + }, + { + "description": "The number of provisioned read capacity units for a table or a global secondary index.\n", + "name": "ProvisionedReadCapacityUnits.avg", + "type": "double" + }, + { + "description": "The average number of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.\n", + "name": "ConsumedReadCapacityUnits.avg", + "type": "double" + }, + { + "description": "The sum of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.\n", + "name": "ConsumedReadCapacityUnits.sum", + "type": "long" + }, + { + "description": "The average number of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.\n", + "name": "ConsumedWriteCapacityUnits.avg", + "type": "double" + }, + { + "description": "The sum of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.\n", + "name": "ConsumedWriteCapacityUnits.sum", + "type": "long" + }, + { + "description": "The average elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.\n", + "name": "ReplicationLatency.avg", + "type": "double" + }, + { + "description": "The maximum elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.\n", + "name": "ReplicationLatency.max", + "type": "double" + }, + { + "description": "Average rejected item-level requests due to transactional conflicts between concurrent requests on the same items.\n", + "name": "TransactionConflict.avg", + "type": "double" + }, + { + "description": "Total rejected item-level requests due to transactional conflicts between concurrent requests on the same items.\n", + "name": "TransactionConflict.sum", + "type": "long" + }, + { + "description": "The average percentage of provisioned read capacity units utilized by the account.\n", + "name": "AccountProvisionedReadCapacityUtilization.avg", + "type": "double" + }, + { + "description": "The average percentage of provisioned write capacity units utilized by the account.\n", + "name": "AccountProvisionedWriteCapacityUtilization.avg", + "type": "double" + }, + { + "description": "The requests to DynamoDB or Amazon DynamoDB Streams that generate an HTTP 500 status code during the specified time period.\n", + "name": "SystemErrors.sum", + "type": "long" + }, + { + "description": "The number of failed attempts to perform conditional writes.\n", + "name": "ConditionalCheckFailedRequests.sum", + "type": "long" + }, + { + "description": "The number of item updates that are written to one replica table, but that have not yet been written to another replica in the global table.\n", + "name": "PendingReplicationCount.sum", + "type": "long" + }, + { + "description": "Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index.\n", + "name": "ReadThrottleEvents.sum", + "type": "long" + }, + { + "description": "Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index).\n", + "name": "ThrottledRequests.sum", + "type": "long" + }, + { + "description": "Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index.\n", + "name": "WriteThrottleEvents.sum", + "type": "long" + }, + { + "description": "The maximum number of read capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.\n", + "name": "AccountMaxReads.max", + "type": "long" + }, + { + "description": "The maximum number of read capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum read request units a table or a global secondary index can use.\n", + "name": "AccountMaxTableLevelReads.max", + "type": "long" + }, + { + "description": "The maximum number of write capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum write request units a table or a global secondary index can use.\n", + "name": "AccountMaxTableLevelWrites.max", + "type": "long" + }, + { + "description": "The maximum number of write capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.\n", + "name": "AccountMaxWrites.max", + "type": "long" + }, + { + "description": "The percentage of provisioned read capacity units utilized by the highest provisioned read table or global secondary index of an account.\n", + "name": "MaxProvisionedTableReadCapacityUtilization.max", + "type": "double" + }, + { + "description": "The percentage of provisioned write capacity utilized by the highest provisioned write table or global secondary index of an account.\n", + "name": "MaxProvisionedTableWriteCapacityUtilization.max", + "type": "double" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "dynamodb", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "ebs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`ebs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EBS.\n", + "fields": [ + { + "fields": [ + { + "description": "Average size of each read operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.", + "name": "VolumeReadBytes.avg", + "type": "double" + }, + { + "description": "Average size of each write operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.", + "name": "VolumeWriteBytes.avg", + "type": "double" + }, + { + "description": "The total number of read operations in a specified period of time.", + "name": "VolumeReadOps.avg", + "type": "double" + }, + { + "description": "The total number of write operations in a specified period of time.", + "name": "VolumeWriteOps.avg", + "type": "double" + }, + { + "description": "The number of read and write operation requests waiting to be completed in a specified period of time.", + "name": "VolumeQueueLength.avg", + "type": "double" + }, + { + "description": "The percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned for an Amazon EBS volume. Used with Provisioned IOPS SSD volumes only.", + "name": "VolumeThroughputPercentage.avg", + "type": "double" + }, + { + "description": "The total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time. Used with Provisioned IOPS SSD volumes only.", + "name": "VolumeConsumedReadWriteOps.avg", + "type": "double" + }, + { + "description": "Used with General Purpose SSD (gp2), Throughput Optimized HDD (st1), and Cold HDD (sc1) volumes only. Provides information about the percentage of I/O credits (for gp2) or throughput credits (for st1 and sc1) remaining in the burst bucket.", + "name": "BurstBalance.avg", + "type": "double" + }, + { + "description": "The total number of seconds spent by all read operations that completed in a specified period of time.", + "name": "VolumeTotalReadTime.sum", + "type": "double" + }, + { + "description": "The total number of seconds spent by all write operations that completed in a specified period of time.", + "name": "VolumeTotalWriteTime.sum", + "type": "double" + }, + { + "description": "The total number of seconds in a specified period of time when no read or write operations were submitted.", + "name": "VolumeIdleTime.sum", + "type": "double" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "ebs", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "ec2": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`ec2` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EC2.\n", + "fields": [ + { + "description": "The percentage of allocated EC2 compute units that are currently in use on the instance.\n", + "name": "cpu.total.pct", + "type": "scaled_float" + }, + { + "description": "The number of CPU credits spent by the instance for CPU utilization.\n", + "name": "cpu.credit_usage", + "type": "long" + }, + { + "description": "The number of earned CPU credits that an instance has accrued since it was launched or started.\n", + "name": "cpu.credit_balance", + "type": "long" + }, + { + "description": "The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.\n", + "name": "cpu.surplus_credit_balance", + "type": "long" + }, + { + "description": "The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.\n", + "name": "cpu.surplus_credits_charged", + "type": "long" + }, + { + "description": "The number of packets received on all network interfaces by the instance.\n", + "name": "network.in.packets", + "type": "long" + }, + { + "description": "The number of packets per second sent out on all network interfaces by the instance.\n", + "name": "network.in.packets_per_sec", + "type": "long" + }, + { + "description": "The number of packets sent out on all network interfaces by the instance.\n", + "name": "network.out.packets", + "type": "long" + }, + { + "description": "The number of packets per second sent out on all network interfaces by the instance.\n", + "name": "network.out.packets_per_sec", + "type": "long" + }, + { + "description": "The number of bytes received on all network interfaces by the instance.\n", + "format": "bytes", + "name": "network.in.bytes", + "type": "long" + }, + { + "description": "The number of bytes per second received on all network interfaces by the instance.\n", + "name": "network.in.bytes_per_sec", + "type": "long" + }, + { + "description": "The number of bytes sent out on all network interfaces by the instance.\n", + "format": "bytes", + "name": "network.out.bytes", + "type": "long" + }, + { + "description": "The number of bytes per second sent out on all network interfaces by the instance.\n", + "name": "network.out.bytes_per_sec", + "type": "long" + }, + { + "description": "Bytes read from all instance store volumes available to the instance.\n", + "format": "bytes", + "name": "diskio.read.bytes", + "type": "long" + }, + { + "description": "Bytes read per second from all instance store volumes available to the instance.\n", + "name": "diskio.read.bytes_per_sec", + "type": "long" + }, + { + "description": "Bytes written to all instance store volumes available to the instance.\n", + "format": "bytes", + "name": "diskio.write.bytes", + "type": "long" + }, + { + "description": "Bytes written per second to all instance store volumes available to the instance.\n", + "name": "diskio.write.bytes_per_sec", + "type": "long" + }, + { + "description": "Completed read operations from all instance store volumes available to the instance in a specified period of time.\n", + "name": "diskio.read.ops", + "type": "long" + }, + { + "description": "Completed read operations per second from all instance store volumes available to the instance in a specified period of time.\n", + "name": "diskio.read.ops_per_sec", + "type": "long" + }, + { + "description": "Completed write operations to all instance store volumes available to the instance in a specified period of time.\n", + "name": "diskio.write.ops", + "type": "long" + }, + { + "description": "Completed write operations per second to all instance store volumes available to the instance in a specified period of time.\n", + "name": "diskio.write.ops_per_sec", + "type": "long" + }, + { + "description": "Reports whether the instance has passed both the instance status check and the system status check in the last minute.\n", + "name": "status.check_failed", + "type": "long" + }, + { + "description": "Reports whether the instance has passed the system status check in the last minute.\n", + "name": "status.check_failed_system", + "type": "long" + }, + { + "description": "Reports whether the instance has passed the instance status check in the last minute.\n", + "name": "status.check_failed_instance", + "type": "long" + }, + { + "description": "The number of CPU cores for the instance.\n", + "name": "instance.core.count", + "type": "integer" + }, + { + "description": "The ID of the image used to launch the instance.\n", + "name": "instance.image.id", + "type": "keyword" + }, + { + "description": "Indicates whether detailed monitoring is enabled.\n", + "name": "instance.monitoring.state", + "type": "keyword" + }, + { + "description": "The private DNS name of the network interface.\n", + "name": "instance.private.dns_name", + "type": "keyword" + }, + { + "description": "The private IPv4 address associated with the network interface.\n", + "name": "instance.private.ip", + "type": "ip" + }, + { + "description": "The public DNS name of the instance.\n", + "name": "instance.public.dns_name", + "type": "keyword" + }, + { + "description": "The address of the Elastic IP address (IPv4) bound to the network interface.\n", + "name": "instance.public.ip", + "type": "ip" + }, + { + "description": "The state of the instance, as a 16-bit unsigned integer.\n", + "name": "instance.state.code", + "type": "integer" + }, + { + "description": "The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).\n", + "name": "instance.state.name", + "type": "keyword" + }, + { + "description": "The number of threads per CPU core.\n", + "name": "instance.threads_per_core", + "type": "integer" + } + ], + "name": "ec2", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "elb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`elb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ELB.\n", + "fields": [ + { + "fields": [ + { + "description": "The number of connections that were not successfully established between the load balancer and the registered instances.", + "name": "BackendConnectionErrors.sum", + "type": "long" + }, + { + "description": "The number of HTTP 2XX response code generated by registered instances.", + "name": "HTTPCode_Backend_2XX.sum", + "type": "long" + }, + { + "description": "The number of HTTP 3XX response code generated by registered instances.", + "name": "HTTPCode_Backend_3XX.sum", + "type": "long" + }, + { + "description": "The number of HTTP 4XX response code generated by registered instances.", + "name": "HTTPCode_Backend_4XX.sum", + "type": "long" + }, + { + "description": "The number of HTTP 5XX response code generated by registered instances.", + "name": "HTTPCode_Backend_5XX.sum", + "type": "long" + }, + { + "description": "The number of HTTP 4XX client error codes generated by the load balancer.", + "name": "HTTPCode_ELB_4XX.sum", + "type": "long" + }, + { + "description": "The number of HTTP 5XX server error codes generated by the load balancer.", + "name": "HTTPCode_ELB_5XX.sum", + "type": "long" + }, + { + "description": "The number of requests completed or connections made during the specified interval.", + "name": "RequestCount.sum", + "type": "long" + }, + { + "description": "The total number of requests that were rejected because the surge queue is full.", + "name": "SpilloverCount.sum", + "type": "long" + }, + { + "description": "The number of healthy instances registered with your load balancer.", + "name": "HealthyHostCount.max", + "type": "long" + }, + { + "description": "The total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance.", + "name": "SurgeQueueLength.max", + "type": "long" + }, + { + "description": "The number of unhealthy instances registered with your load balancer.", + "name": "UnHealthyHostCount.max", + "type": "long" + }, + { + "description": "The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers.", + "name": "Latency.avg", + "type": "double" + }, + { + "description": "The estimated number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.", + "name": "EstimatedALBActiveConnectionCount.avg", + "type": "double" + }, + { + "description": "The estimated number of load balancer capacity units (LCU) used by an Application Load Balancer.", + "name": "EstimatedALBConsumedLCUs.avg", + "type": "double" + }, + { + "description": "The estimated number of new TCP connections established from clients to the load balancer and from the load balancer to targets.", + "name": "EstimatedALBNewConnectionCount.avg", + "type": "double" + }, + { + "description": "The estimated number of bytes processed by an Application Load Balancer.", + "name": "EstimatedProcessedBytes.avg", + "type": "double" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "elb", + "release": "ga", + "type": "group" + }, + { + "description": "`applicationelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ApplicationELB.\n", + "fields": [ + { + "fields": [ + { + "description": "The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.", + "name": "ActiveConnectionCount.sum", + "type": "long" + }, + { + "description": "The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error.", + "name": "ClientTLSNegotiationErrorCount.sum", + "type": "long" + }, + { + "description": "The number of fixed-response actions that were successful.", + "name": "HTTP_Fixed_Response_Count.sum", + "type": "long" + }, + { + "description": "The number of redirect actions that were successful.", + "name": "HTTP_Redirect_Count.sum", + "type": "long" + }, + { + "description": "The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K.", + "name": "HTTP_Redirect_Url_Limit_Exceeded_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 3XX redirection codes that originate from the load balancer.", + "name": "HTTPCode_ELB_3XX_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 4XX client error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_4XX_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 5XX server error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_5XX_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 500 error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_500_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 502 error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_502_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 503 error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_503_Count.sum", + "type": "long" + }, + { + "description": "The number of HTTP 504 error codes that originate from the load balancer.", + "name": "HTTPCode_ELB_504_Count.sum", + "type": "long" + }, + { + "description": "The total number of bytes processed by the load balancer over IPv6.", + "name": "IPv6ProcessedBytes.sum", + "type": "long" + }, + { + "description": "The number of IPv6 requests received by the load balancer.", + "name": "IPv6RequestCount.sum", + "type": "long" + }, + { + "description": "The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets.", + "name": "NewConnectionCount.sum", + "type": "long" + }, + { + "description": "The total number of bytes processed by the load balancer over IPv4 and IPv6.", + "name": "ProcessedBytes.sum", + "type": "long" + }, + { + "description": "The number of connections that were rejected because the load balancer had reached its maximum number of connections.", + "name": "RejectedConnectionCount.sum", + "type": "long" + }, + { + "description": "The number of requests processed over IPv4 and IPv6.", + "name": "RequestCount.sum", + "type": "long" + }, + { + "description": "The number of rules processed by the load balancer given a request rate averaged over an hour.", + "name": "RuleEvaluations.sum", + "type": "long" + }, + { + "description": "The number of load balancer capacity units (LCU) used by your load balancer.", + "name": "ConsumedLCUs.avg", + "type": "double" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "applicationelb", + "release": "ga", + "type": "group" + }, + { + "description": "`networkelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS NetworkELB.\n", + "fields": [ + { + "fields": [ + { + "description": "The total number of concurrent flows (or connections) from clients to targets.", + "name": "ActiveFlowCount.avg", + "type": "double" + }, + { + "description": "The total number of concurrent TCP flows (or connections) from clients to targets.", + "name": "ActiveFlowCount_TCP.avg", + "type": "double" + }, + { + "description": "The total number of concurrent TLS flows (or connections) from clients to targets.", + "name": "ActiveFlowCount_TLS.avg", + "type": "double" + }, + { + "description": "The total number of concurrent UDP flows (or connections) from clients to targets.", + "name": "ActiveFlowCount_UDP.avg", + "type": "double" + }, + { + "description": "The number of load balancer capacity units (LCU) used by your load balancer.", + "name": "ConsumedLCUs.avg", + "type": "double" + }, + { + "description": "The total number of TLS handshakes that failed during negotiation between a client and a TLS listener.", + "name": "ClientTLSNegotiationErrorCount.sum", + "type": "long" + }, + { + "description": "The total number of new flows (or connections) established from clients to targets in the time period.", + "name": "NewFlowCount.sum", + "type": "long" + }, + { + "description": "The total number of new TLS flows (or connections) established from clients to targets in the time period.", + "name": "NewFlowCount_TLS.sum", + "type": "long" + }, + { + "description": "The total number of bytes processed by the load balancer, including TCP/IP headers.", + "name": "ProcessedBytes.sum", + "type": "long" + }, + { + "description": "The total number of bytes processed by TLS listeners.", + "name": "ProcessedBytes_TLS.sum", + "type": "long" + }, + { + "description": "The total number of TLS handshakes that failed during negotiation between a TLS listener and a target.", + "name": "TargetTLSNegotiationErrorCount.sum", + "type": "long" + }, + { + "description": "The total number of reset (RST) packets sent from a client to a target.", + "name": "TCP_Client_Reset_Count.sum", + "type": "long" + }, + { + "description": "The total number of reset (RST) packets generated by the load balancer.", + "name": "TCP_ELB_Reset_Count.sum", + "type": "long" + }, + { + "description": "The total number of reset (RST) packets sent from a target to a client.", + "name": "TCP_Target_Reset_Count.sum", + "type": "long" + }, + { + "description": "The number of targets that are considered healthy.", + "name": "HealthyHostCount.max", + "type": "long" + }, + { + "description": "The number of targets that are considered unhealthy.", + "name": "UnHealthyHostCount.max", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "networkelb", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "lambda": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda.\n", + "fields": [ + { + "fields": [ + { + "description": "The number of times your function code is executed, including successful executions and executions that result in a function error.", + "name": "Invocations.avg", + "type": "double" + }, + { + "description": "The number of invocations that result in a function error.", + "name": "Errors.avg", + "type": "double" + }, + { + "description": "For asynchronous invocation, the number of times Lambda attempts to send an event to a dead-letter queue but fails.", + "name": "DeadLetterErrors.avg", + "type": "double" + }, + { + "description": "For asynchronous invocation, the number of times Lambda attempts to send an event to a destination but fails.", + "name": "DestinationDeliveryFailures.avg", + "type": "double" + }, + { + "description": "The amount of time that your function code spends processing an event.", + "name": "Duration.avg", + "type": "double" + }, + { + "description": "The number of invocation requests that are throttled.", + "name": "Throttles.avg", + "type": "double" + }, + { + "description": "For event source mappings that read from streams, the age of the last record in the event.", + "name": "IteratorAge.avg", + "type": "double" + }, + { + "description": "The number of function instances that are processing events.", + "name": "ConcurrentExecutions.avg", + "type": "double" + }, + { + "description": "For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency.", + "name": "UnreservedConcurrentExecutions.avg", + "type": "double" + }, + { + "description": "The number of function instances that are processing events on provisioned concurrency.", + "name": "ProvisionedConcurrentExecutions.max", + "type": "long" + }, + { + "description": "For a version or alias, the value of ProvisionedConcurrentExecutions divided by the total amount of provisioned concurrency allocated.", + "name": "ProvisionedConcurrencyUtilization.max", + "type": "long" + }, + { + "description": "The number of times your function code is executed on provisioned concurrency.", + "name": "ProvisionedConcurrencyInvocations.sum", + "type": "long" + }, + { + "description": "The number of times your function code is executed on standard concurrency when all provisioned concurrency is in use.", + "name": "ProvisionedConcurrencySpilloverInvocations.sum", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "lambda", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "natgateway": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`natgateway` contains the metrics from Cloudwatch to track usage of NAT gateway related resources.\n", + "fields": [ + { + "fields": [ + { + "description": "The number of bytes received by the NAT gateway from the destination.", + "name": "BytesInFromDestination.sum", + "type": "long" + }, + { + "description": "The number of bytes received by the NAT gateway from clients in your VPC.", + "name": "BytesInFromSource.sum", + "type": "long" + }, + { + "description": "The number of bytes sent out through the NAT gateway to the destination.", + "name": "BytesOutToDestination.sum", + "type": "long" + }, + { + "description": "The number of bytes sent through the NAT gateway to the clients in your VPC.", + "name": "BytesOutToSource.sum", + "type": "long" + }, + { + "description": "The number of connection attempts made through the NAT gateway.", + "name": "ConnectionAttemptCount.sum", + "type": "long" + }, + { + "description": "The number of connections established through the NAT gateway.", + "name": "ConnectionEstablishedCount.sum", + "type": "long" + }, + { + "description": "The number of times the NAT gateway could not allocate a source port.", + "name": "ErrorPortAllocation.sum", + "type": "long" + }, + { + "description": "The number of connections that transitioned from the active state to the idle state.", + "name": "IdleTimeoutCount.sum", + "type": "long" + }, + { + "description": "The number of packets dropped by the NAT gateway.", + "name": "PacketsDropCount.sum", + "type": "long" + }, + { + "description": "The number of packets received by the NAT gateway from the destination.", + "name": "PacketsInFromDestination.sum", + "type": "long" + }, + { + "description": "The number of packets received by the NAT gateway from clients in your VPC.", + "name": "PacketsInFromSource.sum", + "type": "long" + }, + { + "description": "The number of packets sent out through the NAT gateway to the destination.", + "name": "PacketsOutToDestination.sum", + "type": "long" + }, + { + "description": "The number of packets sent through the NAT gateway to the clients in your VPC.", + "name": "PacketsOutToSource.sum", + "type": "long" + }, + { + "description": "The total number of concurrent active TCP connections through the NAT gateway.", + "name": "ActiveConnectionCount.max", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "natgateway", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "rds": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`rds` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS RDS.\n", + "fields": [ + { + "description": "The percentage of CPU utilization.\n", + "format": "percent", + "name": "cpu.total.pct", + "type": "scaled_float" + }, + { + "description": "The number of CPU credits spent by the instance for CPU utilization.\n", + "name": "cpu.credit_usage", + "type": "long" + }, + { + "description": "The number of earned CPU credits that an instance has accrued since it was launched or started.\n", + "name": "cpu.credit_balance", + "type": "long" + }, + { + "description": "The number of database connections in use.\n", + "name": "database_connections", + "type": "long" + }, + { + "description": "Amazon Resource Name(ARN) for each rds.\n", + "name": "db_instance.arn", + "type": "keyword" + }, + { + "description": "Contains the name of the compute and memory capacity class of the DB instance.\n", + "name": "db_instance.class", + "type": "keyword" + }, + { + "description": "Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.\n", + "name": "db_instance.identifier", + "type": "keyword" + }, + { + "description": "Specifies the current state of this database.\n", + "name": "db_instance.status", + "type": "keyword" + }, + { + "description": "The number of outstanding IOs (read/write requests) waiting to access the disk.\n", + "name": "disk_queue_depth", + "type": "float" + }, + { + "description": "The number of failed SQL Server Agent jobs during the last minute.\n", + "name": "failed_sql_server_agent_jobs", + "type": "long" + }, + { + "description": "The amount of available random access memory.\n", + "format": "bytes", + "name": "freeable_memory.bytes", + "type": "long" + }, + { + "description": "The amount of available storage space.\n", + "format": "bytes", + "name": "free_storage.bytes", + "type": "long" + }, + { + "description": "The maximum transaction ID that has been used. Applies to PostgreSQL.\n", + "name": "maximum_used_transaction_ids", + "type": "long" + }, + { + "description": "The lagging size of the replica lagging the most in terms of WAL data received. Applies to PostgreSQL.\n", + "name": "oldest_replication_slot_lag.mb", + "type": "long" + }, + { + "description": "The average number of disk read I/O operations per second.\n", + "name": "read_io.ops_per_sec", + "type": "float" + }, + { + "description": "The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas.\n", + "format": "duration", + "name": "replica_lag.sec", + "type": "long" + }, + { + "description": "The amount of swap space used on the DB instance. This metric is not available for SQL Server.\n", + "format": "bytes", + "name": "swap_usage.bytes", + "type": "long" + }, + { + "description": "The disk space used by transaction logs. Applies to PostgreSQL.\n", + "name": "transaction_logs_generation", + "type": "long" + }, + { + "description": "The average number of disk write I/O operations per second.\n", + "name": "write_io.ops_per_sec", + "type": "float" + }, + { + "description": "The average number of queries executed per second.\n", + "name": "queries", + "type": "long" + }, + { + "description": "The average number of deadlocks in the database per second.\n", + "name": "deadlocks", + "type": "long" + }, + { + "description": "The amount of storage used by your Aurora DB instance, in bytes.\n", + "format": "bytes", + "name": "volume_used.bytes", + "type": "long" + }, + { + "description": "The number of billed read I/O operations from a cluster volume, reported at 5-minute intervals.\n", + "format": "bytes", + "name": "volume.read.iops", + "type": "long" + }, + { + "description": "The number of write disk I/O operations to the cluster volume, reported at 5-minute intervals.\n", + "format": "bytes", + "name": "volume.write.iops", + "type": "long" + }, + { + "description": "The amount of storage available for temporary tables and logs, in bytes.\n", + "format": "bytes", + "name": "free_local_storage.bytes", + "type": "long" + }, + { + "description": "The average number of failed login attempts per second.\n", + "name": "login_failures", + "type": "long" + }, + { + "description": "The average number of commit operations per second.\n", + "name": "throughput.commit", + "type": "float" + }, + { + "description": "The average number of delete queries per second.\n", + "name": "throughput.delete", + "type": "float" + }, + { + "description": "The average number of DDL requests per second.\n", + "name": "throughput.ddl", + "type": "float" + }, + { + "description": "The average number of inserts, updates, and deletes per second.\n", + "name": "throughput.dml", + "type": "float" + }, + { + "description": "The average number of insert queries per second.\n", + "name": "throughput.insert", + "type": "float" + }, + { + "description": "The amount of network throughput both received from and transmitted to clients by each instance in the Aurora MySQL DB cluster, in bytes per second.\n", + "name": "throughput.network", + "type": "float" + }, + { + "description": "The incoming (Receive) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.\n", + "name": "throughput.network_receive", + "type": "float" + }, + { + "description": "The outgoing (Transmit) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.\n", + "name": "throughput.network_transmit", + "type": "float" + }, + { + "description": "The average amount of time taken per disk I/O operation.\n", + "name": "throughput.read", + "type": "float" + }, + { + "description": "The average number of select queries per second.\n", + "name": "throughput.select", + "type": "float" + }, + { + "description": "The average number of update queries per second.\n", + "name": "throughput.update", + "type": "float" + }, + { + "description": "The average number of bytes written to disk per second.\n", + "name": "throughput.write", + "type": "float" + }, + { + "description": "The amount of latency for commit operations, in milliseconds.\n", + "format": "duration", + "name": "latency.commit", + "type": "float" + }, + { + "description": "The amount of latency for data definition language (DDL) requests, in milliseconds.\n", + "format": "duration", + "name": "latency.ddl", + "type": "float" + }, + { + "description": "The amount of latency for inserts, updates, and deletes, in milliseconds.\n", + "format": "duration", + "name": "latency.dml", + "type": "float" + }, + { + "description": "The amount of latency for insert queries, in milliseconds.\n", + "format": "duration", + "name": "latency.insert", + "type": "float" + }, + { + "description": "The average amount of time taken per disk I/O operation.\n", + "format": "duration", + "name": "latency.read", + "type": "float" + }, + { + "description": "The amount of latency for select queries, in milliseconds.\n", + "format": "duration", + "name": "latency.select", + "type": "float" + }, + { + "description": "The amount of latency for update queries, in milliseconds.\n", + "format": "duration", + "name": "latency.update", + "type": "float" + }, + { + "description": "The average amount of time taken per disk I/O operation.\n", + "format": "duration", + "name": "latency.write", + "type": "float" + }, + { + "description": "The amount of latency for delete queries, in milliseconds.\n", + "format": "duration", + "name": "latency.delete", + "type": "float" + }, + { + "description": "The amount of disk space occupied by binary logs on the master. Applies to MySQL read replicas.\n", + "format": "bytes", + "name": "disk_usage.bin_log.bytes", + "type": "long" + }, + { + "description": "The disk space used by replication slot files. Applies to PostgreSQL.\n", + "name": "disk_usage.replication_slot.mb", + "type": "long" + }, + { + "description": "The disk space used by transaction logs. Applies to PostgreSQL.\n", + "name": "disk_usage.transaction_logs.mb", + "type": "long" + }, + { + "description": "The average number of current transactions executing on an Aurora database instance per second.\n", + "name": "transactions.active", + "type": "long" + }, + { + "description": "The average number of transactions in the database that are blocked per second.\n", + "name": "transactions.blocked", + "type": "long" + }, + { + "description": "This identifier is the unique key that identifies a DB cluster specifically for Amazon Aurora DB cluster.\n", + "name": "db_instance.db_cluster_identifier", + "type": "keyword" + }, + { + "description": "DB roles like WRITER or READER, specifically for Amazon Aurora DB cluster.\n", + "name": "db_instance.role", + "type": "keyword" + }, + { + "description": "Each DB instance runs a DB engine, like MySQL, MariaDB, PostgreSQL and etc.\n", + "name": "db_instance.engine_name", + "type": "keyword" + }, + { + "description": "The amount of time a replica DB cluster running on Aurora with MySQL compatibility lags behind the source DB cluster.\n", + "name": "aurora_bin_log_replica_lag", + "type": "long" + }, + { + "description": "In an Aurora Global Database, the number of write I/O operations replicated from the primary AWS Region to the cluster volume in a secondary AWS Region.\n", + "name": "aurora_global_db.replicated_write_io.bytes", + "type": "long" + }, + { + "description": "In an Aurora Global Database, the amount of redo log data transferred from the master AWS Region to a secondary AWS Region.\n", + "name": "aurora_global_db.data_transfer.bytes", + "type": "long" + }, + { + "description": "For an Aurora Global Database, the amount of lag when replicating updates from the primary AWS Region, in milliseconds.\n", + "name": "aurora_global_db.replication_lag.ms", + "type": "long" + }, + { + "description": "For an Aurora Replica, the amount of lag when replicating updates from the primary instance, in milliseconds.\n", + "name": "aurora_replica.lag.ms", + "type": "long" + }, + { + "description": "The maximum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.\n", + "name": "aurora_replica.lag_max.ms", + "type": "long" + }, + { + "description": "The minimum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.\n", + "name": "aurora_replica.lag_min.ms", + "type": "long" + }, + { + "description": "The number of backtrack change records created over five minutes for your DB cluster.\n", + "name": "backtrack_change_records.creation_rate", + "type": "long" + }, + { + "description": "The actual number of backtrack change records used by your DB cluster.\n", + "name": "backtrack_change_records.stored", + "type": "long" + }, + { + "description": "The difference between the target backtrack window and the actual backtrack window.\n", + "name": "backtrack_window.actual", + "type": "long" + }, + { + "description": "The number of times that the actual backtrack window is smaller than the target backtrack window for a given period of time.\n", + "name": "backtrack_window.alert", + "type": "long" + }, + { + "description": "The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster's backup retention window.\n", + "name": "storage_used.backup_retention_period.bytes", + "type": "long" + }, + { + "description": "The total amount of backup storage in bytes consumed by all Aurora snapshots for an Aurora DB cluster outside its backup retention window.\n", + "name": "storage_used.snapshot.bytes", + "type": "long" + }, + { + "description": "The percentage of requests that are served by the buffer cache.\n", + "name": "cache_hit_ratio.buffer", + "type": "long" + }, + { + "description": "The percentage of requests that are served by the Resultset cache.\n", + "name": "cache_hit_ratio.result_set", + "type": "long" + }, + { + "description": "The amount of time that the instance has been running, in seconds.\n", + "name": "engine_uptime.sec", + "type": "long" + }, + { + "description": "The amount of lag in seconds when replicating updates from the primary RDS PostgreSQL instance to other nodes in the cluster.\n", + "name": "rds_to_aurora_postgresql_replica_lag.sec", + "type": "long" + }, + { + "description": "The total amount of backup storage in bytes for which you are billed for a given Aurora DB cluster.\n", + "name": "backup_storage_billed_total.bytes", + "type": "long" + }, + { + "description": "The remaining available space for the cluster volume, measured in bytes.\n", + "name": "aurora_volume_left_total.bytes", + "type": "long" + } + ], + "name": "rds", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "s3_daily_storage": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`s3_daily_storage` contains the daily storage metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.\n", + "fields": [ + { + "description": "The amount of data in bytes stored in a bucket.\n", + "format": "bytes", + "name": "bucket.size.bytes", + "type": "long" + }, + { + "description": "The total number of objects stored in a bucket for all storage classes.\n", + "name": "number_of_objects", + "type": "long" + } + ], + "name": "s3_daily_storage", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "s3_request": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`s3_request` contains request metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.\n", + "fields": [ + { + "description": "The total number of HTTP requests made to an Amazon S3 bucket, regardless of type.\n", + "name": "requests.total", + "type": "long" + }, + { + "description": "The number of HTTP GET requests made for objects in an Amazon S3 bucket.\n", + "name": "requests.get", + "type": "long" + }, + { + "description": "The number of HTTP PUT requests made for objects in an Amazon S3 bucket.\n", + "name": "requests.put", + "type": "long" + }, + { + "description": "The number of HTTP DELETE requests made for objects in an Amazon S3 bucket.\n", + "name": "requests.delete", + "type": "long" + }, + { + "description": "The number of HTTP HEAD requests made to an Amazon S3 bucket.\n", + "name": "requests.head", + "type": "long" + }, + { + "description": "The number of HTTP POST requests made to an Amazon S3 bucket.\n", + "name": "requests.post", + "type": "long" + }, + { + "description": "The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket.\n", + "name": "requests.select", + "type": "long" + }, + { + "description": "The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.\n", + "format": "bytes", + "name": "requests.select_scanned.bytes", + "type": "long" + }, + { + "description": "The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.\n", + "format": "bytes", + "name": "requests.select_returned.bytes", + "type": "long" + }, + { + "description": "The number of HTTP requests that list the contents of a bucket.\n", + "name": "requests.list", + "type": "long" + }, + { + "description": "The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body.\n", + "format": "bytes", + "name": "downloaded.bytes", + "type": "long" + }, + { + "description": "The number bytes uploaded that contain a request body, made to an Amazon S3 bucket.\n", + "format": "bytes", + "name": "uploaded.bytes", + "type": "long" + }, + { + "description": "The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.\n", + "name": "errors.4xx", + "type": "long" + }, + { + "description": "The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.\n", + "name": "errors.5xx", + "type": "long" + }, + { + "description": "The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned.\n", + "format": "duration", + "name": "latency.first_byte.ms", + "type": "long" + }, + { + "description": "The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket.\n", + "format": "duration", + "name": "latency.total_request.ms", + "type": "long" + } + ], + "name": "s3_request", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "sns": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`sns` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SNS.\n", + "fields": [ + { + "fields": [ + { + "description": "The size of messages published.", + "name": "PublishSize.avg", + "type": "double" + }, + { + "description": "The rate of successful SMS message deliveries.", + "name": "SMSSuccessRate.avg", + "type": "double" + }, + { + "description": "The number of messages published to your Amazon SNS topics.", + "name": "NumberOfMessagesPublished.sum", + "type": "long" + }, + { + "description": "The number of messages successfully delivered from your Amazon SNS topics to subscribing endpoints.", + "name": "NumberOfNotificationsDelivered.sum", + "type": "long" + }, + { + "description": "The number of messages that Amazon SNS failed to deliver.", + "name": "NumberOfNotificationsFailed.sum", + "type": "long" + }, + { + "description": "The number of messages that were rejected by subscription filter policies.", + "name": "NumberOfNotificationsFilteredOut.sum", + "type": "long" + }, + { + "description": "The number of messages that were rejected by subscription filter policies because the messages' attributes are invalid - for example, because the attribute JSON is incorrectly formatted.", + "name": "NumberOfNotificationsFilteredOut-InvalidAttributes.sum", + "type": "long" + }, + { + "description": "The number of messages that were rejected by subscription filter policies because the messages have no attributes.", + "name": "NumberOfNotificationsFilteredOut-NoMessageAttributes.sum", + "type": "long" + }, + { + "description": "The number of messages that have been moved to a dead-letter queue.", + "name": "NumberOfNotificationsRedrivenToDlq.sum", + "type": "long" + }, + { + "description": "The number of messages that couldn't be moved to a dead-letter queue.", + "name": "NumberOfNotificationsFailedToRedriveToDlq.sum", + "type": "long" + }, + { + "description": "The charges you have accrued since the start of the current calendar month for sending SMS messages.", + "name": "SMSMonthToDateSpentUSD.sum", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "sns", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "sqs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`sqs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SQS.\n", + "fields": [ + { + "description": "The approximate age of the oldest non-deleted message in the queue.\n", + "format": "duration", + "name": "oldest_message_age.sec", + "type": "long" + }, + { + "description": "TThe number of messages in the queue that are delayed and not available for reading immediately.\n", + "name": "messages.delayed", + "type": "long" + }, + { + "description": "The number of messages that are in flight.\n", + "name": "messages.not_visible", + "type": "long" + }, + { + "description": "The number of messages available for retrieval from the queue.\n", + "name": "messages.visible", + "type": "long" + }, + { + "description": "The number of messages deleted from the queue.\n", + "name": "messages.deleted", + "type": "long" + }, + { + "description": "The number of messages returned by calls to the ReceiveMessage action.\n", + "name": "messages.received", + "type": "long" + }, + { + "description": "The number of messages added to a queue.\n", + "name": "messages.sent", + "type": "long" + }, + { + "description": "The number of ReceiveMessage API calls that did not return a message.\n", + "name": "empty_receives", + "type": "long" + }, + { + "description": "The size of messages added to a queue.\n", + "format": "bytes", + "name": "sent_message_size.bytes", + "type": "long" + }, + { + "description": "SQS queue name\n", + "name": "queue.name", + "type": "keyword" + } + ], + "name": "sqs", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "transitgateway": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`transitgateway` contains the metrics from Cloudwatch to track usage of transit gateway related resources.\n", + "fields": [ + { + "fields": [ + { + "description": "The number of bytes received by the transit gateway.", + "name": "BytesIn.sum", + "type": "long" + }, + { + "description": "The number of bytes sent from the transit gateway.", + "name": "BytesOut.sum", + "type": "long" + }, + { + "description": "The number of packets received by the transit gateway.", + "name": "PacketsIn.sum", + "type": "long" + }, + { + "description": "The number of packets sent by the transit gateway.", + "name": "PacketsOut.sum", + "type": "long" + }, + { + "description": "The number of packets dropped because they matched a blackhole route.", + "name": "PacketDropCountBlackhole.sum", + "type": "long" + }, + { + "description": "The number of packets dropped because they did not match a route.", + "name": "PacketDropCountNoRoute.sum", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "transitgateway", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "usage": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`usage` contains the metrics from Cloudwatch to track usage of some AWS resources.\n", + "fields": [ + { + "fields": [ + { + "description": "The number of specified API operations performed in your account.", + "name": "CallCount.sum", + "type": "long" + }, + { + "description": "The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric.", + "name": "ResourceCount.sum", + "type": "long" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "usage", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "vpn": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`vpn` contains the metrics from Cloudwatch to track usage of VPN related resources.\n", + "fields": [ + { + "fields": [ + { + "description": "The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states.", + "name": "TunnelState.avg", + "type": "double" + }, + { + "description": "The bytes received through the VPN tunnel.", + "name": "TunnelDataIn.sum", + "type": "double" + }, + { + "description": "The bytes sent through the VPN tunnel.", + "name": "TunnelDataOut.sum", + "type": "double" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "vpn", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "azure": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "client_id": "${AZURE_CLIENT_ID:\"\"}", + "client_secret": "${AZURE_CLIENT_SECRET:\"\"}", + "enabled": true, + "metricsets": [ + "monitor" + ], + "module": "azure", + "period": "300s", + "refresh_list_interval": "600s", + "resources": null, + "subscription_id": "${AZURE_SUBSCRIPTION_ID:\"\"}", + "tenant_id": "${AZURE_TENANT_ID:\"\"}" + } + ], + "fields.yml": [ + { + "description": "azure module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "The Azure metric timegrain\n", + "name": "timegrain", + "type": "keyword" + }, + { + "description": "The resource specified\n", + "fields": [ + { + "description": "The type of the resource\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The resource group\n", + "name": "group", + "type": "keyword" + }, + { + "description": "Azure resource tags.\n", + "name": "tags.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "resource", + "type": "group" + }, + { + "description": "The namespace selected\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "The subscription ID\n", + "name": "subscription_id", + "type": "keyword" + }, + { + "description": "Azure metric dimensions.\n", + "name": "dimensions.*", + "object_type": "keyword", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "azure", + "type": "group" + } + ], + "key": "azure", + "release": "ga", + "title": "Azure" + } + ] + } + }, + "app_insights": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "application insights\n", + "fields": [ + { + "description": "The application ID\n", + "name": "application_id", + "type": "keyword" + }, + { + "description": "The start date\n", + "name": "start_date", + "type": "date" + }, + { + "description": "The end date\n", + "name": "end_date", + "type": "date" + }, + { + "description": "The metrics\n", + "name": "metrics.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "app_insights", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "billing": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "billing and usage details\n", + "fields": [ + { + "description": "The currency\n", + "name": "currency", + "type": "keyword" + }, + { + "description": "Cost\n", + "name": "pretax_cost", + "type": "float" + }, + { + "description": "The department name\n", + "name": "department_name", + "type": "keyword" + }, + { + "description": "The product type\n", + "name": "product", + "type": "keyword" + }, + { + "description": "The usage start date\n", + "name": "usage_start", + "type": "date" + }, + { + "description": "The usage end date\n", + "name": "usage_end", + "type": "date" + }, + { + "description": "The billing period id\n", + "name": "billing_period_id", + "type": "keyword" + }, + { + "description": "The billing account name\n", + "name": "account_name", + "type": "keyword" + }, + { + "description": "The actual cost\n", + "name": "actual_cost", + "type": "float" + }, + { + "description": "The forecast cost\n", + "name": "forecast_cost", + "type": "float" + }, + { + "description": "The usage date\n", + "name": "usage_date", + "type": "date" + } + ], + "name": "billing", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "compute_vm": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "compute_vm\n", + "name": "compute_vm.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "compute_vm_scaleset": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "compute_vm_scaleset\n", + "name": "compute_vm_scaleset.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "container_instance": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "container instance\n", + "name": "container_instance.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "container_registry": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "container registry\n", + "name": "container_registry.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "container_service": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "container service\n", + "name": "container_service.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "database_account": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "database account\n", + "name": "database_account.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + }, + "monitor": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "monitor\n", + "fields": [ + { + "description": "Metrics returned.\n", + "name": "metrics.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "monitor", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "storage": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "storage account\n", + "name": "storage.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "ga", + "type": "object" + } + ] + } + } + } + } + } + }, + "beat": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "http://localhost:5066" + ], + "metricsets": [ + "stats", + "state" + ], + "module": "beat", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Beat module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Beat ID.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Beat type.\n", + "name": "type", + "type": "keyword" + } + ], + "name": "beat", + "type": "group" + } + ], + "key": "beat", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Beat" + } + ] + } + }, + "state": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Beat state\n", + "fields": [ + { + "description": "Is central management enabled?\n", + "name": "management.enabled", + "type": "boolean" + }, + { + "description": "Number of modules enabled\n", + "name": "module.count", + "type": "integer" + }, + { + "description": "Name of output used by Beat\n", + "name": "output.name", + "type": "keyword" + }, + { + "description": "Name of queue being used by Beat\n", + "name": "queue.name", + "type": "keyword" + } + ], + "name": "state", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Beat stats\n", + "fields": [ + { + "description": "Beat uptime\n", + "name": "uptime.ms", + "type": "long" + }, + { + "description": "Number of goroutines running in Beat\n", + "name": "runtime.goroutines", + "type": "long" + }, + { + "description": "Fields common to all Beats\n", + "fields": [ + { + "description": "Output stats\n", + "fields": [ + { + "description": "Type of output\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Event counters\n", + "fields": [ + { + "description": "Number of events acknowledged\n", + "name": "acked", + "type": "long" + }, + { + "description": "Number of active events\n", + "name": "active", + "type": "long" + }, + { + "description": "Number of event batches\n", + "name": "batches", + "type": "long" + }, + { + "description": "Number of events dropped\n", + "name": "dropped", + "type": "long" + }, + { + "description": "Number of events duplicated\n", + "name": "duplicates", + "type": "long" + }, + { + "description": "Number of events failed\n", + "name": "failed", + "type": "long" + }, + { + "description": "Number of too many events\n", + "name": "toomany", + "type": "long" + }, + { + "description": "Total number of events\n", + "name": "total", + "type": "long" + } + ], + "name": "events", + "type": "group" + }, + { + "description": "Read stats\n", + "fields": [ + { + "description": "Number of bytes read\n", + "name": "bytes", + "type": "long" + }, + { + "description": "Number of read errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "description": "Write stats\n", + "fields": [ + { + "description": "Number of bytes written\n", + "name": "bytes", + "type": "long" + }, + { + "description": "Number of write errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "write", + "type": "group" + } + ], + "name": "output", + "type": "group" + } + ], + "name": "libbeat", + "type": "group" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "ceph": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:5000" + ], + "module": "ceph", + "period": "10s" + }, + { + "hosts": [ + "localhost:5000" + ], + "module": "ceph", + "period": "1m" + } + ], + "fields.yml": [ + { + "description": "Ceph module\n", + "fields": [ + { + "description": "`ceph` contains the metrics that were scraped from CEPH.\n", + "fields": null, + "name": "ceph", + "type": "group" + } + ], + "key": "ceph", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Ceph" + } + ] + } + }, + "cluster_disk": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "cluster_disk\n", + "fields": [ + { + "description": "Available bytes of the cluster\n", + "format": "bytes", + "name": "available.bytes", + "type": "long" + }, + { + "description": "Total bytes of the cluster\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Used bytes of the cluster\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "cluster_disk", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cluster_health": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "cluster_health\n", + "fields": [ + { + "description": "Overall status of the cluster\n", + "name": "overall_status", + "type": "keyword" + }, + { + "description": "Map version\n", + "name": "timechecks.epoch", + "type": "long" + }, + { + "description": "timecheck round\n", + "name": "timechecks.round.value", + "type": "long" + }, + { + "description": "Status of the round\n", + "name": "timechecks.round.status", + "type": "keyword" + } + ], + "name": "cluster_health", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cluster_status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "cluster_status\n", + "fields": [ + { + "description": "Ceph Status version\n", + "name": "version", + "type": "long" + }, + { + "description": "Cluster read throughput per second\n", + "format": "bytes", + "name": "traffic.read_bytes", + "type": "long" + }, + { + "description": "Cluster write throughput per second\n", + "format": "bytes", + "name": "traffic.write_bytes", + "type": "long" + }, + { + "description": "Cluster read iops per second\n", + "name": "traffic.read_op_per_sec", + "type": "long" + }, + { + "description": "Cluster write iops per second\n", + "name": "traffic.write_op_per_sec", + "type": "long" + }, + { + "description": "Cluster misplace pg number\n", + "name": "misplace.total", + "type": "long" + }, + { + "description": "Cluster misplace objects number\n", + "name": "misplace.objects", + "type": "long" + }, + { + "description": "Cluster misplace ratio\n", + "format": "percent", + "name": "misplace.ratio", + "type": "scaled_float" + }, + { + "description": "Cluster degraded pg number\n", + "name": "degraded.total", + "type": "long" + }, + { + "description": "Cluster degraded objects number\n", + "name": "degraded.objects", + "type": "long" + }, + { + "description": "Cluster degraded ratio\n", + "format": "percent", + "name": "degraded.ratio", + "type": "scaled_float" + }, + { + "description": "Cluster pg data bytes\n", + "format": "bytes", + "name": "pg.data_bytes", + "type": "long" + }, + { + "description": "Cluster available bytes\n", + "format": "bytes", + "name": "pg.avail_bytes", + "type": "long" + }, + { + "description": "Cluster total bytes\n", + "format": "bytes", + "name": "pg.total_bytes", + "type": "long" + }, + { + "description": "Cluster used bytes\n", + "format": "bytes", + "name": "pg.used_bytes", + "type": "long" + }, + { + "description": "Pg state description\n", + "name": "pg_state.state_name", + "type": "long" + }, + { + "description": "Shows how many pgs are in state of pg_state.state_name\n", + "name": "pg_state.count", + "type": "long" + }, + { + "description": "Cluster status version\n", + "name": "pg_state.version", + "type": "long" + }, + { + "description": "Is osd full\n", + "name": "osd.full", + "type": "boolean" + }, + { + "description": "Is osd near full\n", + "name": "osd.nearfull", + "type": "boolean" + }, + { + "description": "Shows how many osds in the cluster\n", + "name": "osd.num_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of UP\n", + "name": "osd.num_up_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of IN\n", + "name": "osd.num_in_osds", + "type": "long" + }, + { + "description": "Shows how many osds are on the state of REMAPPED\n", + "name": "osd.num_remapped_pgs", + "type": "long" + }, + { + "description": "epoch number\n", + "name": "osd.epoch", + "type": "long" + } + ], + "name": "cluster_status", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "mgr_cluster_disk": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "see: cluster_disk\n", + "fields": null, + "name": "mgr_cluster_disk", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "json", + "type": "http", + "url": "/request?wait=1" + } + } + } + } + } + } + }, + "mgr_cluster_health": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "see: cluster_health\n", + "fields": null, + "name": "mgr_cluster_health", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "mgr_osd_perf": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "OSD performance metrics of Ceph cluster\n", + "fields": [ + { + "description": "OSD ID", + "name": "id", + "type": "long" + }, + { + "description": "Commit latency in ms", + "name": "stats.commit_latency_ms", + "type": "long" + }, + { + "description": "Apply latency in ms", + "name": "stats.apply_latency_ms", + "type": "long" + }, + { + "description": "Commit latency in ns", + "name": "stats.commit_latency_ns", + "type": "long" + }, + { + "description": "Apply latency in ns", + "name": "stats.apply_latency_ns", + "type": "long" + } + ], + "name": "mgr_osd_perf", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "json", + "type": "http", + "url": "/request?wait=1" + } + } + } + } + } + } + }, + "mgr_osd_pool_stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "OSD pool stats of Ceph cluster\n", + "fields": [ + { + "description": "Pool name", + "name": "pool_name", + "type": "keyword" + }, + { + "description": "Pool ID", + "name": "pool_id", + "type": "long" + }, + { + "description": "Client I/O rates", + "fields": [ + { + "keyword": "Bytes read per second", + "name": "read_bytes_sec", + "type": "long" + }, + { + "keyword": "Bytes written per second", + "name": "write_bytes_sec", + "type": "long" + }, + { + "keyword": "Read operations per second", + "name": "read_op_per_sec", + "type": "long" + }, + { + "keyword": "Write operations per second", + "name": "write_op_per_sec", + "type": "long" + } + ], + "name": "client_io_rate", + "type": "object" + } + ], + "name": "mgr_osd_pool_stats", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "json", + "type": "http", + "url": "/request?wait=1" + } + } + } + } + } + } + }, + "mgr_osd_tree": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "see: osd_tree\n", + "fields": null, + "name": "mgr_osd_tree", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "json", + "type": "http", + "url": "/request?wait=1" + } + } + } + } + } + } + }, + "mgr_pool_disk": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "see: pool_disk\n", + "fields": null, + "name": "mgr_pool_disk", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "json", + "type": "http", + "url": "/request?wait=1" + } + } + } + } + } + } + }, + "monitor_health": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "monitor_health stats data\n", + "fields": [ + { + "description": "Available percent of the MON\n", + "name": "available.pct", + "type": "long" + }, + { + "description": "Health of the MON\n", + "name": "health", + "type": "keyword" + }, + { + "description": "Available KB of the MON\n", + "name": "available.kb", + "type": "long" + }, + { + "description": "Total KB of the MON\n", + "name": "total.kb", + "type": "long" + }, + { + "description": "Used KB of the MON\n", + "name": "used.kb", + "type": "long" + }, + { + "description": "Time when was updated\n", + "name": "last_updated", + "type": "date" + }, + { + "description": "Name of the MON\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Log bytes of MON\n", + "format": "bytes", + "name": "store_stats.log.bytes", + "type": "long" + }, + { + "description": "Misc bytes of MON\n", + "format": "bytes", + "name": "store_stats.misc.bytes", + "type": "long" + }, + { + "description": "SST bytes of MON\n", + "format": "bytes", + "name": "store_stats.sst.bytes", + "type": "long" + }, + { + "description": "Total bytes of MON\n", + "format": "bytes", + "name": "store_stats.total.bytes", + "type": "long" + }, + { + "description": "Last updated\n", + "name": "store_stats.last_updated", + "type": "long" + } + ], + "name": "monitor_health", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/api/v0.1/health" + } + } + } + } + } + } + }, + "osd_df": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "ceph osd disk usage information\n", + "fields": [ + { + "description": "osd node id\n", + "name": "id", + "type": "long" + }, + { + "description": "osd node name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "osd node type, illegal type include hdd, ssd etc.\n", + "name": "device_class", + "type": "keyword" + }, + { + "description": "osd disk total volume\n", + "format": "bytes", + "name": "total.byte", + "type": "long" + }, + { + "description": "osd disk usage volume\n", + "format": "bytes", + "name": "used.byte", + "type": "long" + }, + { + "description": "osd disk available volume\n", + "format": "bytes", + "name": "available.bytes", + "type": "long" + }, + { + "description": "shows how many pg located on this osd\n", + "name": "pg_num", + "type": "long" + }, + { + "description": "osd disk usage percentage\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "osd_df", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "osd_tree": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "ceph osd tree info\n", + "fields": [ + { + "description": "osd or bucket node id\n", + "name": "id", + "type": "long" + }, + { + "description": "osd or bucket node name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "osd or bucket node type, illegal type include osd, host, root etc.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "osd or bucket node typeID\n", + "name": "type_id", + "type": "long" + }, + { + "description": "bucket children list, separated by comma.\n", + "name": "children", + "type": "keyword" + }, + { + "description": "osd node crush weight\n", + "name": "crush_weight", + "type": "float" + }, + { + "description": "node depth\n", + "name": "depth", + "type": "long" + }, + { + "description": "is node still exist or not(1-yes, 0-no)\n", + "name": "exists", + "type": "boolean" + }, + { + "description": "the weight of reading data from primary osd\n", + "name": "primary_affinity", + "type": "float" + }, + { + "description": "the reweight of osd\n", + "name": "reweight", + "type": "long" + }, + { + "description": "status of osd, it should be up or down\n", + "name": "status", + "type": "keyword" + }, + { + "description": "the device class of osd, like hdd, ssd etc.\n", + "name": "device_class", + "type": "keyword" + }, + { + "description": "the parent node of this osd or bucket node\n", + "name": "father", + "type": "keyword" + } + ], + "name": "osd_tree", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "pool_disk": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "pool_disk\n", + "fields": [ + { + "description": "Id of the pool\n", + "name": "id", + "type": "long" + }, + { + "description": "Name of the pool\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Available bytes of the pool\n", + "format": "bytes", + "name": "stats.available.bytes", + "type": "long" + }, + { + "description": "Number of objects of the pool\n", + "name": "stats.objects", + "type": "long" + }, + { + "description": "Used bytes of the pool\n", + "format": "bytes", + "name": "stats.used.bytes", + "type": "long" + }, + { + "description": "Used kb of the pool\n", + "name": "stats.used.kb", + "type": "long" + } + ], + "name": "pool_disk", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "cloudfoundry": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "api_address": "${CLOUDFOUNDRY_API_ADDRESS:\"\"}", + "client_id": "${CLOUDFOUNDRY_CLIENT_ID:\"\"}", + "client_secret": "${CLOUDFOUNDRY_CLIENT_SECRET:\"\"}", + "enabled": true, + "metricsets": [ + "container", + "counter", + "value" + ], + "module": "cloudfoundry" + } + ], + "fields.yml": [ + { + "description": "Cloud Foundry module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "The type of event from Cloud Foundry. Possible values include 'container', 'counter' and 'value'.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The application the metric is associated with.\n", + "fields": [ + { + "description": "The ID of the application.\n", + "name": "id", + "type": "keyword" + } + ], + "name": "app", + "type": "group" + } + ], + "name": "cloudfoundry", + "type": "group" + } + ], + "key": "cloudfoundry", + "release": "beta", + "title": "Cloudfoundry" + } + ] + } + }, + "container": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`container` contains container metrics from Cloud Foundry.\n", + "fields": [ + { + "description": "Index of the instance the metric belongs to.\n", + "name": "instance_index", + "type": "long" + }, + { + "description": "CPU usage percentage.\n", + "name": "cpu.pct", + "type": "float" + }, + { + "description": "Bytes of used memory.\n", + "name": "memory.bytes", + "type": "long" + }, + { + "description": "Bytes of available memory.\n", + "name": "memory.quota.bytes", + "type": "long" + }, + { + "description": "Bytes of used storage.\n", + "name": "disk.bytes", + "type": "long" + }, + { + "description": "Bytes of available storage.\n", + "name": "disk.quota.bytes", + "type": "long" + } + ], + "name": "container", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "counter": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`counter` contains counter metrics from Cloud Foundry.\n", + "fields": [ + { + "description": "The name of the counter.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The difference between the last time the counter event occurred.\n", + "name": "delta", + "type": "long" + }, + { + "description": "The total value for the counter.\n", + "name": "total", + "type": "long" + } + ], + "name": "counter", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "value": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`value` contains counter metrics from Cloud Foundry.\n", + "fields": [ + { + "description": "The name of the value.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The unit of the value.\n", + "name": "unit", + "type": "keyword" + }, + { + "description": "The value of the value.\n", + "name": "value", + "type": "float" + } + ], + "name": "value", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "cockroachdb": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8080" + ], + "metricsets": [ + "status" + ], + "module": "cockroachdb", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "CockroachDB module\n", + "fields": [ + { + "fields": null, + "name": "cockroachdb", + "type": "group" + } + ], + "key": "cockroachdb", + "release": "beta", + "settings": [ + "ssl", + "http" + ], + "title": "CockroachDB" + } + ] + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "beta" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "prometheus.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/_status/vars" + } + } + } + } + } + } + } + } + }, + "consul": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": true, + "hosts": [ + "localhost:8500" + ], + "metricsets": [ + "agent" + ], + "module": "consul", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Consul module\n", + "fields": [ + { + "fields": null, + "name": "consul", + "type": "group" + } + ], + "key": "consul", + "release": "beta", + "title": "Consul" + } + ] + } + }, + "agent": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Agent Metricset fetches metrics information from a Consul instance running as Agent\n", + "fields": [ + { + "fields": [ + { + "description": "Overall health of the local server cluster", + "name": "healthy", + "type": "boolean" + } + ], + "name": "autopilot", + "type": "group" + }, + { + "description": "Runtime related metrics", + "fields": [ + { + "fields": [ + { + "description": "Number of bytes of memory obtained from the OS.", + "name": "bytes", + "type": "long" + } + ], + "name": "sys", + "type": "group" + }, + { + "description": "Heap objects allocated", + "name": "malloc_count", + "type": "long" + }, + { + "description": "Objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value.", + "name": "heap_objects", + "type": "long" + }, + { + "description": "Running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value.", + "name": "goroutines", + "type": "long" + }, + { + "fields": [ + { + "description": "Bytes allocated by the Consul process.", + "name": "bytes", + "type": "long" + } + ], + "name": "alloc", + "type": "group" + }, + { + "description": "Garbage collector metrics", + "fields": [ + { + "description": "Garbage collector total executions", + "name": "runs", + "type": "long" + }, + { + "description": "Time that the garbage collector has paused the app", + "fields": [ + { + "fields": [ + { + "description": "Garbage collector pause time in nanoseconds", + "name": "ns", + "type": "long" + } + ], + "name": "current", + "type": "group" + }, + { + "fields": [ + { + "description": "Nanoseconds consumed by stop-the-world garbage collection pauses since Consul started.", + "name": "ns", + "type": "long" + } + ], + "name": "total", + "type": "group" + } + ], + "name": "pause", + "type": "group" + } + ], + "name": "garbage_collector", + "type": "group" + } + ], + "name": "runtime", + "type": "group" + } + ], + "name": "agent", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "coredns": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9153" + ], + "metricsets": [ + "stats" + ], + "module": "coredns", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "coredns Module\n", + "fields": [ + { + "description": "`coredns` contains statistics that were read from coreDNS\n", + "fields": null, + "name": "coredns", + "type": "group" + } + ], + "key": "coredns", + "release": "ga", + "title": "Coredns" + } + ] + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the coreDNS service\n", + "fields": [ + { + "description": "Total number of panics\n", + "name": "panic.count", + "type": "long" + }, + { + "description": "Total query count\n", + "name": "dns.request.count", + "type": "long" + }, + { + "description": "Request duration histogram buckets in nanoseconds\n", + "name": "dns.request.duration.ns.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Requests duration, sum of durations in nanoseconds\n", + "format": "duration", + "name": "dns.request.duration.ns.sum", + "type": "long" + }, + { + "description": "Requests duration, number of requests\n", + "name": "dns.request.duration.ns.count", + "type": "long" + }, + { + "description": "Request Size histogram buckets\n", + "name": "dns.request.size.bytes.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request Size histogram sum\n", + "name": "dns.request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request Size histogram count\n", + "name": "dns.request.size.bytes.count", + "type": "long" + }, + { + "description": "Number of queries that have the DO bit set\n", + "name": "dns.request.do.count", + "type": "long" + }, + { + "description": "Counter of queries per zone and type\n", + "name": "dns.request.type.count", + "type": "long" + }, + { + "description": "Holds the query type of the request\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Counter of responses per zone and rcode\n", + "name": "dns.response.rcode.count", + "type": "long" + }, + { + "description": "Holds the rcode of the response\n", + "name": "rcode", + "type": "keyword" + }, + { + "description": "The address family of the transport (1 = IP (IP version 4), 2 = IP6 (IP version 6))\n", + "name": "family", + "type": "keyword" + }, + { + "description": "Response Size histogram buckets\n", + "name": "dns.response.size.bytes.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Response Size histogram sum\n", + "name": "dns.response.size.bytes.sum", + "type": "long" + }, + { + "description": "Response Size histogram count\n", + "name": "dns.response.size.bytes.count", + "type": "long" + }, + { + "description": "The server responsible for the request\n", + "name": "server", + "type": "keyword" + }, + { + "description": "The zonename used for the request/response\n", + "name": "zone", + "type": "keyword" + }, + { + "description": "The transport of the response (\"udp\" or \"tcp\")\n", + "name": "proto", + "type": "keyword" + }, + { + "description": "Cache hits count for the cache plugin\n", + "name": "dns.cache.hits.count", + "type": "long" + }, + { + "description": "Cache misses count for the cache plugin\n", + "name": "dns.cache.misses.count", + "type": "long" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + } + } + }, + "couchbase": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8091" + ], + "module": "couchbase", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Metrics collected from Couchbase servers.\n", + "fields": [ + { + "description": "`couchbase` contains the metrics that were scraped from Couchbase.\n", + "fields": null, + "name": "couchbase", + "type": "group" + } + ], + "key": "couchbase", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Couchbase" + } + ] + } + }, + "bucket": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Couchbase bucket metrics.\n", + "fields": [ + { + "description": "Name of the bucket.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Type of the bucket.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Size of user data within buckets of the specified state that are resident in RAM.\n", + "format": "bytes", + "name": "data.used.bytes", + "type": "long" + }, + { + "description": "Number of disk fetches.\n", + "name": "disk.fetches", + "type": "double" + }, + { + "description": "Amount of disk used (bytes).\n", + "format": "bytes", + "name": "disk.used.bytes", + "type": "long" + }, + { + "description": "Amount of memory used by the bucket (bytes).\n", + "format": "bytes", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Amount of RAM used by the bucket (bytes).\n", + "format": "bytes", + "name": "quota.ram.bytes", + "type": "long" + }, + { + "description": "Percentage of RAM used (for active objects) against the configured bucket size (%).\n", + "format": "percent", + "name": "quota.use.pct", + "type": "scaled_float" + }, + { + "description": "Number of operations per second.\n", + "name": "ops_per_sec", + "type": "double" + }, + { + "description": "Number of items associated with the bucket.\n", + "name": "item_count", + "type": "long" + } + ], + "name": "bucket", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cluster": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Couchbase cluster metrics.\n", + "fields": [ + { + "description": "Free hard drive space in the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.free.bytes", + "type": "long" + }, + { + "description": "Hard drive quota total for the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.quota.total.bytes", + "type": "long" + }, + { + "description": "Total hard drive space available to the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.total.bytes", + "type": "long" + }, + { + "description": "Hard drive space used by the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.used.value.bytes", + "type": "long" + }, + { + "description": "Hard drive space used by the data in the cluster (bytes).\n", + "format": "bytes", + "name": "hdd.used.by_data.bytes", + "type": "long" + }, + { + "description": "Max bucket count setting.\n", + "name": "max_bucket_count", + "type": "long" + }, + { + "description": "Memory quota setting for the Index service (Mbyte).\n", + "name": "quota.index_memory.mb", + "type": "double" + }, + { + "description": "Memory quota setting for the cluster (Mbyte).\n", + "name": "quota.memory.mb", + "type": "double" + }, + { + "description": "RAM quota total for the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.total.value.bytes", + "type": "long" + }, + { + "description": "RAM quota used by the current node in the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.total.per_node.bytes", + "type": "long" + }, + { + "description": "RAM quota used by the cluster (bytes).\n", + "format": "bytes", + "name": "ram.quota.used.value.bytes", + "type": "long" + }, + { + "description": "Ram quota used by the current node in the cluster (bytes)\n", + "format": "bytes", + "name": "ram.quota.used.per_node.bytes", + "type": "long" + }, + { + "description": "Total RAM available to cluster (bytes).\n", + "format": "bytes", + "name": "ram.total.bytes", + "type": "long" + }, + { + "description": "RAM used by the cluster (bytes).\n", + "format": "bytes", + "name": "ram.used.value.bytes", + "type": "long" + }, + { + "description": "RAM used by the data in the cluster (bytes).\n", + "format": "bytes", + "name": "ram.used.by_data.bytes", + "type": "long" + } + ], + "name": "cluster", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/pools/default" + } + } + } + } + } + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Couchbase node metrics.\n", + "fields": [ + { + "description": "Number of get commands\n", + "name": "cmd_get", + "type": "double" + }, + { + "description": "Amount of disk space used by Couch docs (bytes).\n", + "format": "bytes", + "name": "couch.docs.disk_size.bytes", + "type": "long" + }, + { + "description": "Data size of Couch docs associated with a node (bytes).\n", + "format": "bytes", + "name": "couch.docs.data_size.bytes", + "type": "long" + }, + { + "description": "Size of object data for spatial views (bytes).\n", + "name": "couch.spatial.data_size.bytes", + "type": "long" + }, + { + "description": "Amount of disk space used by spatial views (bytes).\n", + "name": "couch.spatial.disk_size.bytes", + "type": "long" + }, + { + "description": "Amount of disk space used by Couch views (bytes).\n", + "name": "couch.views.disk_size.bytes", + "type": "long" + }, + { + "description": "Size of object data for Couch views (bytes).\n", + "name": "couch.views.data_size.bytes", + "type": "long" + }, + { + "description": "The CPU utilization rate (%).\n", + "name": "cpu_utilization_rate.pct", + "type": "scaled_float" + }, + { + "description": "Number of current items.\n", + "name": "current_items.value", + "type": "long" + }, + { + "description": "Total number of items associated with the node.\n", + "name": "current_items.total", + "type": "long" + }, + { + "description": "Number of disk fetches performed since the server was started.\n", + "name": "ep_bg_fetched", + "type": "long" + }, + { + "description": "Number of get hits.\n", + "name": "get_hits", + "type": "long" + }, + { + "description": "The hostname of the node.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Amount of memcached memory allocated (bytes).\n", + "format": "bytes", + "name": "mcd_memory.allocated.bytes", + "type": "long" + }, + { + "description": "Amount of memcached memory reserved (bytes).\n", + "name": "mcd_memory.reserved.bytes", + "type": "long" + }, + { + "description": "Amount of memory free for the node (bytes).\n", + "name": "memory.free.bytes", + "type": "long" + }, + { + "description": "Total memory available to the node (bytes).\n", + "name": "memory.total.bytes", + "type": "long" + }, + { + "description": "Memory used by the node (bytes).\n", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Number of operations performed on Couchbase.\n", + "name": "ops", + "type": "long" + }, + { + "description": "Total swap size allocated (bytes).\n", + "name": "swap.total.bytes", + "type": "long" + }, + { + "description": "Amount of swap space used (bytes).\n", + "name": "swap.used.bytes", + "type": "long" + }, + { + "description": "Time during which the node was in operation (sec).\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Number of items/documents that are replicas.\n", + "name": "vb_replica_curr_items", + "type": "long" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/pools/default" + } + } + } + } + } + } + } + } + }, + "couchdb": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:5984" + ], + "metricsets": [ + "server" + ], + "module": "couchdb", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "couchdb module\n", + "fields": [ + { + "description": "Couchdb metrics", + "fields": null, + "name": "couchdb", + "type": "group" + } + ], + "key": "couchdb", + "release": "ga", + "title": "CouchDB" + } + ] + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains CouchDB server stats\n", + "fields": [ + { + "description": "HTTP statistics\n", + "fields": [ + { + "description": "Number of view reads\n", + "name": "view_reads", + "type": "long" + }, + { + "description": "Number of bulk requests\n", + "name": "bulk_requests", + "type": "long" + }, + { + "description": "Number of clients for continuous _changes\n", + "name": "clients_requesting_changes", + "type": "long" + }, + { + "description": "Number of temporary view reads\n", + "name": "temporary_view_reads", + "type": "long" + }, + { + "description": "Number of HTTP requests\n", + "name": "requests", + "type": "long" + } + ], + "name": "httpd", + "type": "group" + }, + { + "description": "HTTP request methods\n", + "fields": [ + { + "description": "Number of HTTP COPY requests\n", + "name": "COPY", + "type": "long" + }, + { + "description": "Number of HTTP HEAD requests\n", + "name": "HEAD", + "type": "long" + }, + { + "description": "Number of HTTP POST requests\n", + "name": "POST", + "type": "long" + }, + { + "description": "Number of HTTP DELETE requests\n", + "name": "DELETE", + "type": "long" + }, + { + "description": "Number of HTTP GET requests\n", + "name": "GET", + "type": "long" + }, + { + "description": "Number of HTTP PUT requests\n", + "name": "PUT", + "type": "long" + } + ], + "name": "httpd_request_methods", + "type": "group" + }, + { + "description": "HTTP status codes statistics\n", + "fields": [ + { + "description": "Number of HTTP 200 OK responses\n", + "name": "200", + "type": "long" + }, + { + "description": "Number of HTTP 201 Created responses\n", + "name": "201", + "type": "long" + }, + { + "description": "Number of HTTP 202 Accepted responses\n", + "name": "202", + "type": "long" + }, + { + "description": "Number of HTTP 301 Moved Permanently responses\n", + "name": "301", + "type": "long" + }, + { + "description": "Number of HTTP 304 Not Modified responses\n", + "name": "304", + "type": "long" + }, + { + "description": "Number of HTTP 400 Bad Request responses\n", + "name": "400", + "type": "long" + }, + { + "description": "Number of HTTP 401 Unauthorized responses\n", + "name": "401", + "type": "long" + }, + { + "description": "Number of HTTP 403 Forbidden responses\n", + "name": "403", + "type": "long" + }, + { + "description": "Number of HTTP 404 Not Found responses\n", + "name": "404", + "type": "long" + }, + { + "description": "Number of HTTP 405 Method Not Allowed responses\n", + "name": "405", + "type": "long" + }, + { + "description": "Number of HTTP 409 Conflict responses\n", + "name": "409", + "type": "long" + }, + { + "description": "Number of HTTP 412 Precondition Failed responses\n", + "name": "412", + "type": "long" + }, + { + "description": "Number of HTTP 500 Internal Server Error responses\n", + "name": "500", + "type": "long" + } + ], + "name": "httpd_status_codes", + "type": "group" + }, + { + "description": "couchdb statistics\n", + "fields": [ + { + "description": "Number of times a database was changed\n", + "name": "database_writes", + "type": "long" + }, + { + "description": "Number of open databases\n", + "name": "open_databases", + "type": "long" + }, + { + "description": "Number of authentication cache misses\n", + "name": "auth_cache_misses", + "type": "long" + }, + { + "description": "Length of a request inside CouchDB without MochiWeb\n", + "name": "request_time", + "type": "long" + }, + { + "description": "Number of times a document was read from a database\n", + "name": "database_reads", + "type": "long" + }, + { + "description": "Number of authentication cache hits\n", + "name": "auth_cache_hits", + "type": "long" + }, + { + "description": "Number of file descriptors CouchDB has open\n", + "name": "open_os_files", + "type": "long" + } + ], + "name": "couchdb", + "type": "group" + } + ], + "name": "server", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "docker": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "unix:///var/run/docker.sock" + ], + "module": "docker", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Docker stats collected from Docker.\n", + "fields": [ + { + "description": "Information and statistics about docker's running containers.\n", + "fields": null, + "name": "docker", + "type": "group" + } + ], + "key": "docker", + "release": "ga", + "short_config": false, + "title": "Docker" + } + ] + } + }, + "container": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Docker container metrics.\n", + "fields": [ + { + "description": "Command that was executed in the Docker container.\n", + "name": "command", + "type": "keyword" + }, + { + "description": "Date when the container was created.\n", + "name": "created", + "type": "date" + }, + { + "description": "Container status.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Container IP addresses.\n", + "name": "ip_addresses", + "type": "ip" + }, + { + "description": "Container size metrics.\n", + "fields": [ + { + "description": "Total size of all the files in the container.\n", + "name": "root_fs", + "type": "long" + }, + { + "description": "Size of the files that have been created or changed since creation.\n", + "name": "rw", + "type": "long" + } + ], + "name": "size", + "type": "group" + }, + { + "description": "Image tags.\n", + "name": "tags", + "type": "keyword" + } + ], + "name": "container", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cpu": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Runtime CPU metrics.\n", + "fields": [ + { + "description": "Percentage of time in kernel space.\n", + "format": "percent", + "name": "kernel.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of time in kernel space normalized by the number of CPU cores.\n", + "format": "percent", + "name": "kernel.norm.pct", + "type": "scaled_float" + }, + { + "description": "CPU ticks in kernel space.\n", + "name": "kernel.ticks", + "type": "long" + }, + { + "description": "Percentage of total CPU time in the system.\n", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of total CPU time in the system normalized by the number of CPU cores.\n", + "format": "percent", + "name": "system.norm.pct", + "type": "scaled_float" + }, + { + "description": "CPU system ticks.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "Percentage of time in user space.\n", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of time in user space normalized by the number of CPU cores.\n", + "format": "percent", + "name": "user.norm.pct", + "type": "scaled_float" + }, + { + "description": "CPU ticks in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "Total CPU usage.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + }, + { + "description": "Total CPU usage normalized by the number of CPU cores.\n", + "format": "percent", + "name": "total.norm.pct", + "type": "scaled_float" + }, + { + "description": "Percentage of CPU time in this core.\n", + "format": "percent", + "name": "core.*.pct", + "object_type": "scaled_float", + "type": "object" + }, + { + "description": "Percentage of CPU time in this core, normalized by the number of CPU cores.\n", + "format": "percent", + "name": "core.*.norm.pct", + "object_type": "scaled_float", + "type": "object" + }, + { + "description": "Number of CPU ticks in this core.\n", + "name": "core.*.ticks", + "object_type": "long", + "type": "object" + } + ], + "name": "cpu", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "diskio": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Disk I/O metrics.\n", + "fields": [ + { + "description": "Accumulated reads during the life of the container\n", + "fields": [ + { + "description": "Number of reads during the life of the container\n", + "name": "ops", + "type": "long" + }, + { + "description": "Bytes read during the life of the container\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Number of current reads per second\n", + "name": "rate", + "type": "long" + }, + { + "description": "Total time to service IO requests, in nanoseconds\n", + "name": "service_time", + "type": "long" + }, + { + "description": "Total time requests spent waiting in queues for service, in nanoseconds\n", + "name": "wait_time", + "type": "long" + }, + { + "description": "Total number of queued requests\n", + "name": "queued", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "deprecated": 6.4, + "description": "Number of current reads per second\n", + "name": "reads", + "type": "scaled_float" + }, + { + "description": "Accumulated writes during the life of the container\n", + "fields": [ + { + "description": "Number of writes during the life of the container\n", + "name": "ops", + "type": "long" + }, + { + "description": "Bytes written during the life of the container\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Number of current writes per second\n", + "name": "rate", + "type": "long" + }, + { + "description": "Total time to service IO requests, in nanoseconds\n", + "name": "service_time", + "type": "long" + }, + { + "description": "Total time requests spent waiting in queues for service, in nanoseconds\n", + "name": "wait_time", + "type": "long" + }, + { + "description": "Total number of queued requests\n", + "name": "queued", + "type": "long" + } + ], + "name": "write", + "type": "group" + }, + { + "deprecated": 6.4, + "description": "Number of current writes per second\n", + "name": "writes", + "type": "scaled_float" + }, + { + "description": "Accumulated reads and writes during the life of the container\n", + "fields": [ + { + "description": "Number of I/O operations during the life of the container\n", + "name": "ops", + "type": "long" + }, + { + "description": "Bytes read and written during the life of the container\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Number of current operations per second\n", + "name": "rate", + "type": "long" + }, + { + "description": "Total time to service IO requests, in nanoseconds\n", + "name": "service_time", + "type": "long" + }, + { + "description": "Total time requests spent waiting in queues for service, in nanoseconds\n", + "name": "wait_time", + "type": "long" + }, + { + "description": "Total number of queued requests\n", + "name": "queued", + "type": "long" + } + ], + "name": "summary", + "type": "group" + }, + { + "deprecated": 6.4, + "description": "Number of reads and writes per second\n", + "name": "total", + "type": "scaled_float" + } + ], + "name": "diskio", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "event": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Docker event\n", + "fields": [ + { + "description": "Event status\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Event id when available\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Event source\n", + "name": "from", + "type": "keyword" + }, + { + "description": "The type of object emitting the event\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The type of event\n", + "name": "action", + "type": "keyword" + }, + { + "description": "Actor\n", + "fields": [ + { + "description": "The ID of the object emitting the event\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Various key/value attributes of the object, depending on its type\n", + "name": "attributes", + "object_type": "keyword", + "type": "object" + } + ], + "name": "actor", + "type": "group" + } + ], + "name": "event", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "healthcheck": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Docker healthcheck metrics.\nHealthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image.\n", + "fields": [ + { + "description": "concurent failed check\n", + "name": "failingstreak", + "type": "integer" + }, + { + "description": "Healthcheck status code\n", + "name": "status", + "type": "keyword" + }, + { + "description": "event fields.\n", + "fields": [ + { + "description": "Healthcheck end date\n", + "name": "end_date", + "type": "date" + }, + { + "description": "Healthcheck start date\n", + "name": "start_date", + "type": "date" + }, + { + "description": "Healthcheck output\n", + "name": "output", + "type": "keyword" + }, + { + "description": "Healthcheck status code\n", + "name": "exit_code", + "type": "integer" + } + ], + "name": "event", + "type": "group" + } + ], + "name": "healthcheck", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "image": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Docker image metrics.\n", + "fields": [ + { + "description": "The image layers identifier.\n", + "fields": [ + { + "description": "Unique image identifier given upon its creation.\n", + "name": "current", + "type": "keyword" + }, + { + "description": "Identifier of the image, if it exists, from which the current image directly descends.\n", + "name": "parent", + "type": "keyword" + } + ], + "name": "id", + "type": "group" + }, + { + "description": "Date and time when the image was created.\n", + "name": "created", + "type": "date" + }, + { + "description": "Image size layers.\n", + "fields": [ + { + "description": "Size of the image.\n", + "name": "virtual", + "type": "long" + }, + { + "description": "Total size of the all cached images associated to the current image.\n", + "name": "regular", + "type": "long" + } + ], + "name": "size", + "type": "group" + }, + { + "description": "Image labels.\n", + "name": "labels", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Image tags.\n", + "name": "tags", + "type": "keyword" + } + ], + "name": "image", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "info": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Info metrics based on https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information.\n", + "fields": [ + { + "description": "Overall container stats.\n", + "fields": [ + { + "description": "Total number of paused containers.\n", + "name": "paused", + "type": "long" + }, + { + "description": "Total number of running containers.\n", + "name": "running", + "type": "long" + }, + { + "description": "Total number of stopped containers.\n", + "name": "stopped", + "type": "long" + }, + { + "description": "Total number of existing containers.\n", + "name": "total", + "type": "long" + } + ], + "name": "containers", + "type": "group" + }, + { + "description": "Unique Docker host identifier.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Total number of existing images.\n", + "name": "images", + "type": "long" + } + ], + "name": "info", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "memory": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Memory metrics.\n", + "fields": [ + { + "description": "Raw memory stats from the cgroups memory.stat interface\n", + "name": "stats.*", + "object_type": "long", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Committed bytes on Windows\n", + "fields": [ + { + "description": "Total bytes\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Peak committed bytes on Windows\n", + "format": "bytes", + "name": "peak", + "type": "long" + } + ], + "name": "commit", + "type": "group" + }, + { + "description": "private working sets on Windows\n", + "format": "bytes", + "name": "private_working_set.total", + "type": "long" + }, + { + "description": "Fail counter.\n", + "name": "fail.count", + "type": "scaled_float" + }, + { + "description": "Memory limit.\n", + "format": "bytes", + "name": "limit", + "type": "long" + }, + { + "description": "RSS memory stats.\n", + "fields": [ + { + "description": "Total memory resident set size.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Memory resident set size percentage.\n", + "format": "percent", + "name": "pct", + "type": "scaled_float" + } + ], + "name": "rss", + "type": "group" + }, + { + "description": "Usage memory stats.\n", + "fields": [ + { + "description": "Max memory usage.\n", + "format": "bytes", + "name": "max", + "type": "long" + }, + { + "description": "Memory usage percentage.\n", + "format": "percent", + "name": "pct", + "type": "scaled_float" + }, + { + "description": "Total memory usage.\n", + "format": "bytes", + "name": "total", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "memory", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "network": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Network metrics.\n", + "fields": [ + { + "description": "Network interface name.\n", + "name": "interface", + "type": "keyword" + }, + { + "deprecated": 6.4, + "description": "Incoming network stats per second.\n", + "fields": [ + { + "description": "Total number of incoming bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped incoming packets.\n", + "name": "dropped", + "type": "scaled_float" + }, + { + "description": "Total errors on incoming packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of incoming packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "in", + "type": "group" + }, + { + "deprecated": 6.4, + "description": "Outgoing network stats per second.\n", + "fields": [ + { + "description": "Total number of outgoing bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped outgoing packets.\n", + "name": "dropped", + "type": "scaled_float" + }, + { + "description": "Total errors on outgoing packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of outgoing packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "out", + "type": "group" + }, + { + "description": "Incoming network stats since the container started.\n", + "fields": [ + { + "description": "Total number of incoming bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped incoming packets.\n", + "name": "dropped", + "type": "long" + }, + { + "description": "Total errors on incoming packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of incoming packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "inbound", + "type": "group" + }, + { + "description": "Outgoing network stats since the container started.\n", + "fields": [ + { + "description": "Total number of outgoing bytes.\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Total number of dropped outgoing packets.\n", + "name": "dropped", + "type": "long" + }, + { + "description": "Total errors on outgoing packets.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Total number of outgoing packets.\n", + "name": "packets", + "type": "long" + } + ], + "name": "outbound", + "type": "group" + } + ], + "name": "network", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "dropwizard": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8080" + ], + "metrics_path": "/metrics/metrics", + "module": "dropwizard", + "namespace": "example", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Stats collected from Dropwizard.\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "dropwizard", + "type": "group" + } + ], + "key": "dropwizard", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Dropwizard" + } + ] + } + }, + "collector": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "ga" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "module": { + "namespace": "testnamespace" + }, + "omit_documented_fields_check": [ + "dropwizard.testnamespace.*" + ], + "type": "http", + "url": "/metrics/metrics" + } + } + } + } + } + } + } + } + }, + "elasticsearch": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "http://localhost:9200" + ], + "module": "elasticsearch", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Elasticsearch module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Elasticsearch cluster name.\n", + "name": "cluster.name", + "type": "keyword" + }, + { + "description": "Elasticsearch cluster id.\n", + "name": "cluster.id", + "type": "keyword" + }, + { + "description": "Elasticsearch state id.\n", + "name": "cluster.state.id", + "type": "keyword" + }, + { + "description": "Node ID\n", + "name": "node.id", + "type": "keyword" + }, + { + "description": "Node name.\n", + "name": "node.name", + "type": "keyword" + } + ], + "name": "elasticsearch", + "type": "group" + } + ], + "key": "elasticsearch", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Elasticsearch" + } + ] + } + }, + "ccr": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Cross-cluster replication stats\n", + "fields": [ + { + "fields": [ + { + "description": "Name of leader index\n", + "name": "index", + "type": "keyword" + }, + { + "description": "Maximum sequence number of operation on the leader shard\n", + "name": "max_seq_no", + "type": "long" + } + ], + "name": "leader", + "type": "group" + }, + { + "fields": [ + { + "description": "Name of follower index\n", + "name": "index", + "type": "keyword" + }, + { + "description": "Number of the shard within the index\n", + "name": "shard.number", + "type": "long" + }, + { + "description": "Number of operations indexed (replicated) into the follower shard from the leader shard\n", + "name": "operations_written", + "type": "long" + }, + { + "description": "Time, in ms, since the follower last fetched from the leader\n", + "name": "time_since_last_read.ms", + "type": "long" + }, + { + "description": "Global checkpoint value on follower shard\n", + "name": "global_checkpoint", + "type": "long" + } + ], + "name": "follower", + "type": "group" + } + ], + "name": "ccr", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cluster_stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Cluster stats\n", + "fields": [ + { + "description": "Cluster status (green, yellow, red).\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Nodes statistics.\n", + "fields": [ + { + "description": "Total number of nodes in cluster.\n", + "name": "count", + "type": "long" + }, + { + "description": "Number of master-eligible nodes in cluster.\n", + "name": "master", + "type": "long" + }, + { + "description": "Number of data nodes in cluster.\n", + "name": "data", + "type": "long" + } + ], + "name": "nodes", + "type": "group" + }, + { + "description": "Indices statistics.\n", + "fields": [ + { + "description": "Total number of indices in cluster.\n", + "name": "count", + "type": "long" + }, + { + "description": "Shard statistics.\n", + "fields": [ + { + "description": "Total number of shards in cluster.\n", + "name": "count", + "type": "long" + }, + { + "description": "Total number of primary shards in cluster.\n", + "name": "primaries", + "type": "long" + } + ], + "name": "shards", + "type": "group" + }, + { + "description": "Memory used for fielddata.\n", + "name": "fielddata.memory.bytes", + "type": "long" + } + ], + "name": "indices", + "type": "group" + } + ], + "name": "cluster.stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "enrich": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Enrich stats\n", + "fields": [ + { + "description": "Number of search requests in the queue.\n", + "name": "queue.size", + "type": "long" + }, + { + "fields": [ + { + "description": "Current number of outstanding remote requests.\n", + "name": "current", + "type": "long" + }, + { + "description": "Number of outstanding remote requests executed since node startup.\n", + "name": "total", + "type": "long" + } + ], + "name": "remote_requests", + "type": "group" + }, + { + "description": "Number of search requests that enrich processors have executed since node startup.\n", + "name": "executed_searches.total", + "type": "long" + } + ], + "name": "enrich", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "index": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "index\n", + "fields": [ + { + "description": "Index name.\n", + "name": "name", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Total number of documents in the index.\n", + "name": "docs.count", + "type": "long" + }, + { + "description": "Total number of deleted documents in the index.\n", + "name": "docs.deleted", + "type": "long" + }, + { + "description": "Total size of the index in bytes.\n", + "format": "bytes", + "name": "store.size.bytes", + "type": "long" + }, + { + "description": "Total number of index segments.\n", + "name": "segments.count", + "type": "long" + }, + { + "description": "Total number of memory used by the segments in bytes.\n", + "format": "bytes", + "name": "segments.memory.bytes", + "type": "long" + } + ], + "name": "total", + "type": "group" + } + ], + "name": "index", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "index_recovery": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "index\n", + "fields": [ + { + "description": "Shard recovery id.\n", + "name": "id", + "type": "long" + }, + { + "description": "Shard recovery type.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "True if primary shard.\n", + "name": "primary", + "type": "boolean" + }, + { + "description": "Recovery stage.\n", + "name": "stage", + "type": "keyword" + }, + { + "description": "Target node id.\n", + "name": "target.id", + "type": "keyword" + }, + { + "description": "Target node host address (could be IP address or hostname).\n", + "name": "target.host", + "type": "keyword" + }, + { + "description": "Target node name.\n", + "name": "target.name", + "type": "keyword" + }, + { + "description": "Source node id.\n", + "name": "source.id", + "type": "keyword" + }, + { + "description": "Source node host address (could be IP address or hostname).\n", + "name": "source.host", + "type": "keyword" + }, + { + "description": "Source node name.\n", + "name": "source.name", + "type": "keyword" + } + ], + "name": "index.recovery", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "index_summary": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "index\n", + "fields": [ + { + "fields": [ + { + "description": "Total number of documents in the index.\n", + "name": "docs.count", + "type": "long" + }, + { + "description": "Total number of deleted documents in the index.\n", + "name": "docs.deleted", + "type": "long" + }, + { + "description": "Total size of the index in bytes.\n", + "format": "bytes", + "name": "store.size.bytes", + "type": "long" + }, + { + "description": "Total number of index segments.\n", + "name": "segments.count", + "type": "long" + }, + { + "description": "Total number of memory used by the segments in bytes.\n", + "format": "bytes", + "name": "segments.memory.bytes", + "type": "long" + } + ], + "name": "primaries", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of documents in the index.\n", + "name": "docs.count", + "type": "long" + }, + { + "description": "Total number of deleted documents in the index.\n", + "name": "docs.deleted", + "type": "long" + }, + { + "description": "Total size of the index in bytes.\n", + "format": "bytes", + "name": "store.size.bytes", + "type": "long" + }, + { + "description": "Total number of index segments.\n", + "name": "segments.count", + "type": "long" + }, + { + "description": "Total number of memory used by the segments in bytes.\n", + "format": "bytes", + "name": "segments.memory.bytes", + "type": "long" + } + ], + "name": "total", + "type": "group" + } + ], + "name": "index.summary", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "ml_job": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "ml\n", + "fields": [ + { + "description": "Unique ml job id.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Job state.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "Processed data events.\n", + "name": "data_counts.processed_record_count", + "type": "long" + }, + { + "description": "The number of records with either a missing date field or a date that could not be parsed.\n", + "name": "data_counts.invalid_date_count", + "type": "long" + } + ], + "name": "ml.job", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "node\n", + "fields": [ + { + "description": "Node version.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "JVM Info.\n", + "fields": [ + { + "description": "JVM version.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Heap init used by the JVM in bytes.\n", + "format": "bytes", + "name": "memory.heap.init.bytes", + "type": "long" + }, + { + "description": "Heap max used by the JVM in bytes.\n", + "format": "bytes", + "name": "memory.heap.max.bytes", + "type": "long" + }, + { + "description": "Non-Heap init used by the JVM in bytes.\n", + "format": "bytes", + "name": "memory.nonheap.init.bytes", + "type": "long" + }, + { + "description": "Non-Heap max used by the JVM in bytes.\n", + "format": "bytes", + "name": "memory.nonheap.max.bytes", + "type": "long" + } + ], + "name": "jvm", + "type": "group" + }, + { + "description": "If process locked in memory.\n", + "name": "process.mlockall", + "type": "boolean" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "node_stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "node_stats\n", + "fields": [ + { + "description": "Node indices stats\n", + "fields": [ + { + "description": "Total number of existing documents.\n", + "name": "docs.count", + "type": "long" + }, + { + "description": "Total number of deleted documents.\n", + "name": "docs.deleted", + "type": "long" + }, + { + "description": "Total number of segments.\n", + "name": "segments.count", + "type": "long" + }, + { + "description": "Total size of segments in bytes.\n", + "format": "bytes", + "name": "segments.memory.bytes", + "type": "long" + }, + { + "description": "Total size of the store in bytes.\n", + "name": "store.size.bytes", + "type": "long" + } + ], + "name": "indices", + "type": "group" + }, + { + "description": "JVM memory pool stats\n", + "fields": [ + { + "description": "Old memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "old", + "type": "group" + }, + { + "description": "Young memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "young", + "type": "group" + }, + { + "description": "Survivor memory pool stats.\n", + "fields": [ + { + "description": "Max bytes.", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Peak bytes.", + "format": "bytes", + "name": "peak.bytes", + "type": "long" + }, + { + "description": "Peak max bytes.", + "format": "bytes", + "name": "peak_max.bytes", + "type": "long" + }, + { + "description": "Used bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + } + ], + "name": "survivor", + "type": "group" + } + ], + "name": "jvm.mem.pools", + "type": "group" + }, + { + "description": "GC collector stats.\n", + "fields": [ + { + "description": "Old collection gc.\n", + "fields": [ + { + "description": "", + "name": "count", + "type": "long" + }, + { + "description": "", + "name": "ms", + "type": "long" + } + ], + "name": "old.collection", + "type": "group" + }, + { + "description": "Young collection gc.\n", + "fields": [ + { + "description": "", + "name": "count", + "type": "long" + }, + { + "description": "", + "name": "ms", + "type": "long" + } + ], + "name": "young.collection", + "type": "group" + } + ], + "name": "jvm.gc.collectors", + "type": "group" + }, + { + "description": "File system summary\n", + "fields": [ + { + "description": "", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "", + "format": "bytes", + "name": "free.bytes", + "type": "long" + }, + { + "description": "", + "format": "bytes", + "name": "available.bytes", + "type": "long" + } + ], + "name": "fs.summary", + "type": "group" + } + ], + "name": "node.stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "pending_tasks": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`cluster.pending_task` contains a pending task description.\n", + "fields": [ + { + "description": "Insert order\n", + "name": "insert_order", + "type": "long" + }, + { + "description": "Priority\n", + "name": "priority", + "type": "long" + }, + { + "description": "Source. For example: put-mapping\n", + "name": "source", + "type": "keyword" + }, + { + "description": "Time in queue\n", + "name": "time_in_queue.ms", + "type": "long" + } + ], + "name": "cluster.pending_task", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "shard": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "shard fields\n", + "fields": [ + { + "description": "True if this is the primary shard.\n", + "name": "primary", + "type": "boolean" + }, + { + "description": "The number of this shard.\n", + "name": "number", + "type": "long" + }, + { + "description": "The state of this shard.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "The node the shard was relocated from.\n", + "name": "relocating_node.name", + "type": "keyword" + } + ], + "name": "shard", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "envoyproxy": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9901" + ], + "module": "envoyproxy", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "envoyproxy module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "envoyproxy", + "type": "group" + } + ], + "key": "envoyproxy", + "release": "ga", + "title": "Envoyproxy" + } + ] + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains envoy proxy server stats\n", + "fields": [ + { + "fields": [ + { + "description": "Number of currently active (warmed) clusters\n", + "name": "active_clusters", + "type": "integer" + }, + { + "description": "Total clusters added (either via static config or CDS)\n", + "name": "cluster_added", + "type": "integer" + }, + { + "description": "Total clusters modified (via CDS)\n", + "name": "cluster_modified", + "type": "integer" + }, + { + "description": "Total clusters removed (via CDS)\n", + "name": "cluster_removed", + "type": "integer" + }, + { + "description": "Number of currently warming (not active) clusters\n", + "name": "warming_clusters", + "type": "integer" + }, + { + "description": "Total cluster updates\n", + "name": "cluster_updated", + "type": "integer" + }, + { + "description": "Total cluster updates applied as merged updates\n", + "name": "cluster_updated_via_merge", + "type": "integer" + }, + { + "description": "Total merged updates that got cancelled and delivered early\n", + "name": "update_merge_cancelled", + "type": "integer" + }, + { + "description": "Total updates which arrived out of a merge window\n", + "name": "update_out_of_merge_window", + "type": "integer" + } + ], + "name": "cluster_manager", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of times internal flush buffers are written to a file due to flush timeout\n", + "name": "flushed_by_timer", + "type": "integer" + }, + { + "description": "Total number of times a file was failed to be opened\n", + "name": "reopen_failed", + "type": "integer" + }, + { + "description": "Total number of times file data is moved to Envoys internal flush buffer\n", + "name": "write_buffered", + "type": "integer" + }, + { + "description": "Total number of times a file was written\n", + "name": "write_completed", + "type": "integer" + }, + { + "description": "Current total size of internal flush buffer in bytes\n", + "name": "write_total_buffered", + "type": "integer" + }, + { + "description": "Total number of times an error occurred during a file write operation\n", + "name": "write_failed", + "type": "integer" + } + ], + "name": "filesystem", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of load attempts that resulted in an error in any layer\n", + "name": "load_error", + "type": "integer" + }, + { + "description": "Total number of load attempts that were successful at all layers\n", + "name": "load_success", + "type": "integer" + }, + { + "description": "Number of keys currently loaded\n", + "name": "num_keys", + "type": "integer" + }, + { + "description": "Total number of loads that did use an override directory\n", + "name": "override_dir_exists", + "type": "integer" + }, + { + "description": "Total number of loads that did not use an override directory\n", + "name": "override_dir_not_exists", + "type": "integer" + }, + { + "description": "1 if any admin overrides are active otherwise 0\n", + "name": "admin_overrides_active", + "type": "integer" + }, + { + "description": "Total number of times deprecated features were used.\n", + "name": "deprecated_feature_use", + "type": "integer" + }, + { + "description": "Number of layers currently active (without loading errors)\n", + "name": "num_layers", + "type": "integer" + } + ], + "name": "runtime", + "type": "group" + }, + { + "fields": [ + { + "description": "Total listeners added (either via static config or LDS)\n", + "name": "listener_added", + "type": "integer" + }, + { + "description": "Total failed listener object additions to workers\n", + "name": "listener_create_failure", + "type": "integer" + }, + { + "description": "Total listener objects successfully added to workers\n", + "name": "listener_create_success", + "type": "integer" + }, + { + "description": "Total listeners modified (via LDS)\n", + "name": "listener_modified", + "type": "integer" + }, + { + "description": "Total listeners removed (via LDS)\n", + "name": "listener_removed", + "type": "integer" + }, + { + "description": "Number of currently active listeners\n", + "name": "total_listeners_active", + "type": "integer" + }, + { + "description": "Number of currently draining listeners\n", + "name": "total_listeners_draining", + "type": "integer" + }, + { + "description": "Number of currently warming listeners\n", + "name": "total_listeners_warming", + "type": "integer" + }, + { + "description": "Total listeners stopped\n", + "name": "listener_stopped", + "type": "integer" + } + ], + "name": "listener_manager", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of times Envoy cannot allocate a statistic due to a shortage of shared memory\n", + "name": "overflow", + "type": "integer" + } + ], + "name": "stats", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of days until the next certificate being managed will expire\n", + "name": "days_until_first_cert_expiring", + "type": "integer" + }, + { + "description": "1 if the server is not currently draining, 0 otherwise\n", + "name": "live", + "type": "integer" + }, + { + "description": "Current amount of allocated memory in bytes\n", + "name": "memory_allocated", + "type": "integer" + }, + { + "description": "Current reserved heap size in bytes\n", + "name": "memory_heap_size", + "type": "integer" + }, + { + "description": "Total connections of the old Envoy process on hot restart\n", + "name": "parent_connections", + "type": "integer" + }, + { + "description": "Total connections of both new and old Envoy processes\n", + "name": "total_connections", + "type": "integer" + }, + { + "description": "Current server uptime in seconds\n", + "name": "uptime", + "type": "integer" + }, + { + "description": "Integer represented version number based on SCM revision\n", + "name": "version", + "type": "integer" + }, + { + "name": "watchdog_mega_miss", + "type": "integer" + }, + { + "name": "watchdog_miss", + "type": "integer" + }, + { + "description": "Current hot restart epoch\n", + "name": "hot_restart_epoch", + "type": "integer" + }, + { + "description": "Number of worker threads\n", + "name": "concurrency", + "type": "integer" + }, + { + "name": "debug_assertion_failures", + "type": "integer" + }, + { + "description": "Number of messages in dynamic configuration with unknown fields\n", + "name": "dynamic_unknown_fields", + "type": "integer" + }, + { + "description": "Current state of the Server\n", + "name": "state", + "type": "integer" + }, + { + "description": "Number of messages in static configuration with unknown fields\n", + "name": "static_unknown_fields", + "type": "integer" + }, + { + "name": "stats_recent_lookups", + "type": "integer" + } + ], + "name": "server", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of connections reset due to the headers being larger than Envoy::Http::Http2::ConnectionImpl::StreamImpl::MAX_HEADER_SIZE (63k)\n", + "name": "header_overflow", + "type": "integer" + }, + { + "description": "Total number of errors where a header callback is called without an associated stream. This tracks an unexpected occurrence due to an as yet undiagnosed bug\n", + "name": "headers_cb_no_stream", + "type": "integer" + }, + { + "description": "Total number of invalid received frames that violated section 8 of the HTTP/2 spec. This will result in a tx_reset\n", + "name": "rx_messaging_error", + "type": "integer" + }, + { + "description": "Total number of reset stream frames received by Envoy\n", + "name": "rx_reset", + "type": "integer" + }, + { + "description": "Total number of times an HTTP2 connection is reset due to receiving too many headers frames. Envoy currently supports proxying at most one header frame for 100-Continue one non-100 response code header frame and one frame with trailers\n", + "name": "too_many_header_frames", + "type": "integer" + }, + { + "description": "Total number of trailers seen on requests coming from downstream\n", + "name": "trailers", + "type": "integer" + }, + { + "description": "Total number of reset stream frames transmitted by Envoy\n", + "name": "tx_reset", + "type": "integer" + } + ], + "name": "http2", + "type": "group" + } + ], + "name": "server", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "etcd": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:2379" + ], + "module": "etcd", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "etcd Module\n", + "fields": [ + { + "description": "`etcd` contains statistics that were read from Etcd\n", + "fields": [ + { + "description": "Etcd API version for metrics retrieval\n", + "name": "api_version", + "type": "keyword" + } + ], + "name": "etcd", + "type": "group" + } + ], + "key": "etcd", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "title": "Etcd" + } + ] + } + }, + "leader": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains etcd leader statistics.\n", + "fields": [ + { + "description": "The number of failed and successful Raft RPC requests.\n", + "fields": [ + { + "description": "successful Raft RPC requests", + "name": "followers.counts.success", + "type": "integer" + }, + { + "description": "failed Raft RPC requests", + "name": "followers.counts.fail", + "type": "integer" + } + ], + "name": "followers.counts", + "type": "group" + }, + { + "description": "latency to each peer in the cluster\n", + "fields": [ + { + "name": "followers.latency.average", + "type": "scaled_float" + }, + { + "name": "followers.latency.current", + "type": "scaled_float" + }, + { + "name": "followers.latency.maximum", + "type": "scaled_float" + }, + { + "name": "followers.latency.minimum", + "type": "integer" + }, + { + "name": "follower.latency.standardDeviation", + "type": "scaled_float" + } + ], + "name": "followers.latency", + "type": "group" + }, + { + "description": "ID of actual leader", + "name": "leader", + "type": "keyword" + } + ], + "name": "leader", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "metrics": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Server metrics from the Etcd V3 /metrics endpoint\n", + "fields": [ + { + "description": "Whether a leader exists in the cluster\n", + "name": "has_leader", + "type": "byte" + }, + { + "description": "Number of leader changes seen at the cluster\n", + "name": "leader_changes.count", + "type": "long" + }, + { + "description": "Number of consensus proposals commited\n", + "name": "proposals_committed.count", + "type": "long" + }, + { + "description": "Number of consensus proposals pending\n", + "name": "proposals_pending.count", + "type": "long" + }, + { + "description": "Number of consensus proposals failed\n", + "name": "proposals_failed.count", + "type": "long" + }, + { + "description": "Number of sent gRPC requests\n", + "name": "grpc_started.count", + "type": "long" + }, + { + "description": "Number of received gRPC requests\n", + "name": "grpc_handled.count", + "type": "long" + } + ], + "name": "server", + "release": "beta", + "type": "group" + }, + { + "description": "Disk metrics from the Etcd V3 /metrics endpoint\n", + "fields": [ + { + "description": "Size of stored data at MVCC\n", + "format": "bytes", + "name": "mvcc_db_total_size.bytes", + "type": "long" + }, + { + "description": "Latency for writing ahead logs to disk\n", + "name": "wal_fsync_duration.ns.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Write ahead logs count\n", + "name": "wal_fsync_duration.ns.count", + "type": "long" + }, + { + "description": "Write ahead logs latency sum\n", + "name": "wal_fsync_duration.ns.sum", + "type": "long" + }, + { + "description": "Latency for writing backend changes to disk\n", + "name": "backend_commit_duration.ns.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Backend commits count\n", + "name": "backend_commit_duration.ns.count", + "type": "long" + }, + { + "description": "Backend commits latency sum\n", + "name": "backend_commit_duration.ns.sum", + "type": "long" + } + ], + "name": "disk", + "release": "beta", + "type": "group" + }, + { + "description": "Memory metrics from the Etcd V3 /metrics endpoint\n", + "fields": [ + { + "description": "Memory allocated bytes as of MemStats Go\n", + "format": "bytes", + "name": "go_memstats_alloc.bytes", + "type": "long" + } + ], + "name": "memory", + "release": "beta", + "type": "group" + }, + { + "description": "Network metrics from the Etcd V3 /metrics endpoint\n", + "fields": [ + { + "description": "gRPC sent bytes total\n", + "format": "bytes", + "name": "client_grpc_sent.bytes", + "type": "long" + }, + { + "description": "gRPC received bytes total", + "format": "bytes", + "name": "client_grpc_received.bytes", + "type": "long" + } + ], + "name": "network", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "self": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains etcd self statistics.\n", + "fields": [ + { + "description": "the unique identifier for the member\n", + "name": "id", + "type": "keyword" + }, + { + "description": "id of the current leader member\n", + "name": "leaderinfo.leader", + "type": "keyword" + }, + { + "description": "the time when this node was started\n", + "name": "leaderinfo.starttime", + "type": "keyword" + }, + { + "description": "amount of time the leader has been leader\n", + "name": "leaderinfo.uptime", + "type": "keyword" + }, + { + "description": "this member's name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "number of append requests this node has processed\n", + "name": "recv.appendrequest.count", + "type": "integer" + }, + { + "description": "number of bytes per second this node is receiving (follower only)\n", + "name": "recv.bandwidthrate", + "type": "scaled_float" + }, + { + "description": "number of requests per second this node is receiving (follower only)\n", + "name": "recv.pkgrate", + "type": "scaled_float" + }, + { + "description": "number of requests that this node has sent\n", + "name": "send.appendrequest.count", + "type": "integer" + }, + { + "description": "number of bytes per second this node is sending (leader only). This value is undefined on single member clusters.\n", + "name": "send.bandwidthrate", + "type": "scaled_float" + }, + { + "description": "number of requests per second this node is sending (leader only). This value is undefined on single member clusters.\n", + "name": "send.pkgrate", + "type": "scaled_float" + }, + { + "description": "the time when this node was started\n", + "name": "starttime", + "type": "keyword" + }, + { + "description": "either leader or follower\n", + "name": "state", + "type": "keyword" + } + ], + "name": "self", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "store": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "The store statistics include information about the operations that this node has handled.\n", + "fields": [ + { + "name": "gets.success", + "type": "integer" + }, + { + "name": "gets.fail", + "type": "integer" + }, + { + "name": "sets.success", + "type": "integer" + }, + { + "name": "sets.fail", + "type": "integer" + }, + { + "name": "delete.success", + "type": "integer" + }, + { + "name": "delete.fail", + "type": "integer" + }, + { + "name": "update.success", + "type": "integer" + }, + { + "name": "update.fail", + "type": "integer" + }, + { + "name": "create.success", + "type": "integer" + }, + { + "name": "create.fail", + "type": "integer" + }, + { + "name": "compareandswap.success", + "type": "integer" + }, + { + "name": "compareandswap.fail", + "type": "integer" + }, + { + "name": "compareanddelete.success", + "type": "integer" + }, + { + "name": "compareanddelete.fail", + "type": "integer" + }, + { + "name": "expire.count", + "type": "integer" + }, + { + "name": "watchers", + "type": "integer" + } + ], + "name": "store", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "golang": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "expvar": { + "namespace": "example", + "path": "/debug/vars" + }, + "heap.path": "/debug/vars", + "hosts": [ + "localhost:6060" + ], + "module": "golang", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Golang module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "golang", + "type": "group" + } + ], + "key": "golang", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Golang" + } + ] + } + }, + "expvar": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "expvar\n", + "fields": [ + { + "description": "The cmdline of this Go program start with.\n", + "name": "cmdline", + "type": "keyword" + } + ], + "name": "expvar", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "heap": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "The Go program heap information exposed by expvar.\n", + "fields": [ + { + "description": "The cmdline of this Go program start with.\n", + "name": "cmdline", + "type": "keyword" + }, + { + "description": "Garbage collector summary.\n", + "fields": [ + { + "description": "Total GC pause duration over lifetime of process.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "total_pause", + "type": "group" + }, + { + "description": "Total number of GC was happened.\n", + "name": "total_count", + "type": "long" + }, + { + "description": "Next collection will happen when HeapAlloc > this amount.\n", + "format": "bytes", + "name": "next_gc_limit", + "type": "long" + }, + { + "description": "Fraction of CPU time used by GC.\n", + "name": "cpu_fraction", + "type": "float" + }, + { + "description": "Last GC pause durations during the monitoring period.\n", + "fields": [ + { + "description": "Count of GC pause duration during this collect period.\n", + "name": "count", + "type": "long" + }, + { + "description": "Total GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "sum", + "type": "group" + }, + { + "description": "Max GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "max", + "type": "group" + }, + { + "description": "Average GC pause duration during this collect period.\n", + "fields": [ + { + "description": "Duration in Ns.\n", + "name": "ns", + "type": "long" + } + ], + "name": "avg", + "type": "group" + } + ], + "name": "pause", + "type": "group" + } + ], + "name": "gc", + "type": "group" + }, + { + "description": "Heap summary,which bytes was obtained from system.\n", + "fields": [ + { + "description": "Total bytes obtained from system (sum of XxxSys below).\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse.\n", + "format": "bytes", + "name": "obtained", + "type": "long" + }, + { + "description": "Bytes used by stack allocator, and these bytes was obtained from system.\n", + "format": "bytes", + "name": "stack", + "type": "long" + }, + { + "description": "Bytes released to the OS.\n", + "format": "bytes", + "name": "released", + "type": "long" + } + ], + "name": "system", + "type": "group" + }, + { + "description": "Heap allocations summary.\n", + "fields": [ + { + "description": "Number of mallocs.\n", + "name": "mallocs", + "type": "long" + }, + { + "description": "Number of frees.\n", + "name": "frees", + "type": "long" + }, + { + "description": "Total number of allocated objects.\n", + "name": "objects", + "type": "long" + }, + { + "description": "Bytes allocated (even if freed) throughout the lifetime.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Bytes allocated and not yet freed (same as Alloc above).\n", + "format": "bytes", + "name": "allocated", + "type": "long" + }, + { + "description": "Bytes in idle spans.\n", + "format": "bytes", + "name": "idle", + "type": "long" + }, + { + "description": "Bytes in non-idle span.\n", + "format": "bytes", + "name": "active", + "type": "long" + } + ], + "name": "allocations", + "type": "group" + } + ], + "name": "heap", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "googlecloud": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "credentials_file_path": "your JSON credentials file path", + "exclude_labels": false, + "metricsets": [ + "compute" + ], + "module": "googlecloud", + "period": "1m", + "project_id": "your project id", + "region": "us-" + }, + { + "credentials_file_path": "your JSON credentials file path", + "exclude_labels": false, + "metricsets": [ + "pubsub", + "loadbalancing" + ], + "module": "googlecloud", + "period": "1m", + "project_id": "your project id", + "region": "us-central1", + "zone": "us-central1-a" + }, + { + "credentials_file_path": "your JSON credentials file path", + "exclude_labels": false, + "metricsets": [ + "storage" + ], + "module": "googlecloud", + "period": "5m", + "project_id": "your project id" + }, + { + "credentials_file_path": "your JSON credentials file path", + "exclude_labels": false, + "metrics": [ + { + "aligner": "ALIGN_NONE", + "metric_types": [ + "instance/cpu/reserved_cores", + "instance/cpu/usage_time", + "instance/cpu/utilization", + "instance/uptime" + ], + "service": "compute" + } + ], + "metricsets": [ + "metrics" + ], + "module": "googlecloud", + "period": "1m", + "project_id": "your project id" + } + ], + "fields.yml": [ + { + "description": "GCP module\n", + "fields": [ + { + "fields": [ + { + "description": "Google cloud monitoring metrics labels\n", + "fields": [ + { + "name": "user.*", + "object_type": "keyword", + "type": "object" + }, + { + "name": "metadata.*", + "object_type": "keyword", + "type": "object" + }, + { + "name": "metrics.*", + "object_type": "keyword", + "type": "object" + }, + { + "name": "system.*", + "object_type": "keyword", + "type": "object" + } + ], + "name": "labels", + "type": "object" + }, + { + "description": "Metrics that returned from Google Cloud API query.\n", + "name": "metrics.*.*.*.*", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "googlecloud", + "type": "group" + } + ], + "key": "googlecloud", + "release": "beta", + "title": "Google Cloud Platform" + } + ] + } + }, + "compute": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Google Cloud Compute metrics", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Incoming bytes dropped by the firewall", + "name": "dropped_bytes_count.value", + "type": "long" + }, + { + "description": "Incoming packets dropped by the firewall", + "name": "dropped_packets_count.value", + "type": "long" + } + ], + "name": "firewall", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of cores reserved on the host of the instance", + "name": "reserved_cores.value", + "type": "double" + }, + { + "description": "The fraction of the allocated CPU that is currently in use on the instance", + "name": "utilization.value", + "type": "double" + }, + { + "description": "Usage for all cores in seconds", + "name": "usage_time.value", + "type": "double" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "description": "Count of bytes read from disk", + "name": "read_bytes_count.value", + "type": "long" + }, + { + "description": "Count of disk read IO operations", + "name": "read_ops_count.value", + "type": "long" + }, + { + "description": "Count of bytes written to disk", + "name": "write_bytes_count.value", + "type": "long" + }, + { + "description": "Count of disk write IO operations", + "name": "write_ops_count.value", + "type": "long" + } + ], + "name": "disk", + "type": "group" + }, + { + "description": "How long the VM has been running, in seconds", + "name": "uptime.value", + "type": "long" + }, + { + "fields": [ + { + "description": "Count of bytes received from the network", + "name": "received_bytes_count.value", + "type": "long" + }, + { + "description": "Count of packets received from the network", + "name": "received_packets_count.value", + "type": "long" + }, + { + "description": "Count of bytes sent over the network", + "name": "sent_bytes_count.value", + "type": "long" + }, + { + "description": "Count of packets sent over the network", + "name": "sent_packets_count.value", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "fields": [ + { + "description": "The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family.", + "name": "ram_size.value", + "type": "long" + }, + { + "description": "Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family.", + "name": "ram_used.value", + "type": "long" + }, + { + "description": "The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family.", + "name": "swap_in_bytes_count.value", + "type": "long" + }, + { + "description": "The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family.", + "name": "swap_out_bytes_count.value", + "type": "long" + } + ], + "name": "memory.balloon", + "type": "group" + } + ], + "name": "instance", + "type": "group" + } + ], + "name": "compute", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "loadbalancing": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Google Cloud Load Balancing metrics", + "fields": [ + { + "description": "Google Cloud Load Balancing metrics", + "fields": [ + { + "description": "The number of bytes sent as requests from HTTP/S load balancer to backends.", + "name": "backend_request_bytes_count.value", + "type": "long" + }, + { + "description": "The number of requests served by backends of HTTP/S load balancer.", + "name": "backend_request_count.value", + "type": "long" + }, + { + "description": "The number of bytes sent as requests from clients to HTTP/S load balancer.", + "name": "request_bytes_count.value", + "type": "long" + }, + { + "description": "The number of requests served by HTTP/S load balancer.", + "name": "request_count.value", + "type": "long" + }, + { + "description": "The number of bytes sent as responses from HTTP/S load balancer to clients.", + "name": "response_bytes_count.value", + "type": "long" + } + ], + "name": "https", + "type": "group" + }, + { + "description": "Google Cloud Load Balancing metrics", + "fields": [ + { + "description": "The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only).", + "name": "egress_bytes_count.value", + "type": "long" + }, + { + "description": "The number of packets sent from ILB backend to client of the flow.", + "name": "egress_packets_count.value", + "type": "long" + }, + { + "description": "The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only).", + "name": "ingress_bytes_count.value", + "type": "long" + }, + { + "description": "The number of packets sent from client to ILB backend.", + "name": "ingress_packets_count.value", + "type": "long" + } + ], + "name": "l3.internal", + "type": "group" + }, + { + "description": "Google Cloud Load Balancing metrics", + "fields": [ + { + "description": "Number of connections that were terminated over TCP/SSL proxy.", + "name": "closed_connections.value", + "type": "long" + }, + { + "description": "Number of bytes sent from VM to client using proxy.", + "name": "egress_bytes_count.value", + "type": "long" + }, + { + "description": "Number of bytes sent from client to VM using proxy.", + "name": "ingress_bytes_count.value", + "type": "long" + }, + { + "description": "Number of connections that were created over TCP/SSL proxy.", + "name": "new_connections.value", + "type": "long" + }, + { + "description": "Current number of outstanding connections through the TCP/SSL proxy.", + "name": "open_connections.value", + "type": "long" + } + ], + "name": "tcp_ssl_proxy", + "type": "group" + } + ], + "name": "loadbalancing", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "metrics": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Google Cloud Compute metrics", + "fields": null, + "key": "metrics", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "pubsub": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Google Cloud PubSub metrics", + "fields": [ + { + "description": "Suscription related metrics", + "fields": [ + { + "description": "Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type.", + "name": "ack_message_count.value", + "type": "long" + }, + { + "description": "Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription.", + "name": "backlog_bytes.value", + "type": "long" + }, + { + "description": "Number of messages delivered to a subscription's push endpoint, but not yet acknowledged.", + "name": "num_outstanding_messages.value", + "type": "long" + }, + { + "description": "Number of unacknowledged messages (a.k.a. backlog messages) in a subscription.", + "name": "num_undelivered_messages.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription.", + "name": "oldest_unacked_message_age.value", + "type": "long" + }, + { + "description": "Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.", + "name": "pull_ack_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of acknowledge requests, grouped by result.", + "name": "pull_ack_request_count.value", + "type": "long" + }, + { + "description": "Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.", + "name": "pull_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of pull requests, grouped by result.", + "name": "pull_request_count.value", + "type": "long" + }, + { + "description": "Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times.", + "name": "push_request_count.value", + "type": "long" + }, + { + "description": "Distribution of push request latencies (in microseconds), grouped by result.", + "name": "push_request_latencies.value", + "type": "long" + }, + { + "description": "Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type.", + "name": "sent_message_count.value", + "type": "long" + }, + { + "description": "Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.", + "name": "streaming_pull_ack_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result.", + "name": "streaming_pull_ack_request_count.value", + "type": "long" + }, + { + "description": "Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count", + "name": "streaming_pull_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of streaming pull responses, grouped by result.", + "name": "streaming_pull_response_count.value", + "type": "long" + }, + { + "description": "Cumulative count of messages published to dead letter topic, grouped by result.", + "name": "dead_letter_message_count.value", + "type": "long" + }, + { + "description": "Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type.", + "name": "mod_ack_deadline_message_count.value", + "type": "long" + }, + { + "description": "Cumulative count of ModifyAckDeadline message operations, grouped by result.", + "name": "mod_ack_deadline_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of ModifyAckDeadline requests, grouped by result.", + "name": "mod_ack_deadline_request_count.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest acknowledged message retained in a subscription.", + "name": "oldest_retained_acked_message_age.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region.", + "name": "oldest_retained_acked_message_age_by_region.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region.", + "name": "oldest_unacked_message_age_by_region.value", + "type": "long" + }, + { + "description": "Total byte size of the acknowledged messages retained in a subscription.", + "name": "retained_acked_bytes.value", + "type": "long" + }, + { + "description": "Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region.", + "name": "retained_acked_bytes_by_region.value", + "type": "long" + }, + { + "description": "Cumulative count of seek attempts, grouped by result.", + "name": "seek_request_count.value", + "type": "long" + }, + { + "description": "Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result.", + "name": "streaming_pull_mod_ack_deadline_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result.", + "name": "streaming_pull_mod_ack_deadline_request_count.value", + "type": "long" + }, + { + "description": "Cumulative cost of operations, measured in bytes. This is used to measure quota utilization.", + "name": "byte_cost.value", + "type": "long" + }, + { + "description": "Cumulative count of configuration changes for each subscription, grouped by operation type and result.", + "name": "config_updates_count.value", + "type": "long" + }, + { + "description": "Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region.", + "name": "unacked_bytes_by_region.value", + "type": "long" + } + ], + "name": "subscription", + "type": "group" + }, + { + "description": "Topic related metrics", + "fields": [ + { + "description": "Cumulative count of streaming pull responses, grouped by result.", + "name": "streaming_pull_response_count.value", + "type": "long" + }, + { + "description": "Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.", + "name": "send_message_operation_count.value", + "type": "long" + }, + { + "description": "Cumulative count of publish requests, grouped by result.", + "name": "send_request_count.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region.", + "name": "oldest_retained_acked_message_age_by_region.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region.", + "name": "oldest_unacked_message_age_by_region.value", + "type": "long" + }, + { + "description": "Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region.", + "name": "retained_acked_bytes_by_region.value", + "type": "long" + }, + { + "description": "Cost of operations, measured in bytes. This is used to measure utilization for quotas.", + "name": "byte_cost.value", + "type": "long" + }, + { + "description": "Cumulative count of configuration changes, grouped by operation type and result.", + "name": "config_updates_count.value", + "type": "long" + }, + { + "description": "Distribution of publish message sizes (in bytes)", + "name": "message_sizes.value", + "type": "long" + }, + { + "description": "Total byte size of the unacknowledged messages in a topic, broken down by Cloud region.", + "name": "unacked_bytes_by_region.value", + "type": "long" + } + ], + "name": "topic", + "type": "group" + }, + { + "description": "Snapshot related metrics", + "fields": [ + { + "description": "Age (in seconds) of the oldest message retained in a snapshot.", + "name": "oldest_message_age.value", + "type": "long" + }, + { + "description": "Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region.", + "name": "oldest_message_age_by_region.value", + "type": "long" + }, + { + "description": "Total byte size of the messages retained in a snapshot.", + "name": "backlog_bytes.value", + "type": "long" + }, + { + "description": "Total byte size of the messages retained in a snapshot, broken down by Cloud region.", + "name": "backlog_bytes_by_region.value", + "type": "long" + }, + { + "description": "Number of messages retained in a snapshot.", + "name": "num_messages.value", + "type": "long" + }, + { + "description": "Number of messages retained in a snapshot, broken down by Cloud region.", + "name": "num_messages_by_region.value", + "type": "long" + }, + { + "description": "Cumulative count of configuration changes, grouped by operation type and result.", + "name": "config_updates_count.value", + "type": "long" + } + ], + "name": "snapshot", + "type": "group" + } + ], + "name": "pubsub", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "storage": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Google Cloud Storage metrics", + "fields": [ + { + "fields": [ + { + "description": "Delta count of API calls, grouped by the API method name and response code.", + "name": "request_count.value", + "type": "long" + } + ], + "name": "api", + "type": "group" + }, + { + "fields": [ + { + "description": "Delta count of requests that result in an object being granted access solely due to object ACLs.", + "name": "acl_based_object_access_count.value", + "type": "long" + }, + { + "description": "Usage of ACL operations broken down by type.", + "name": "acl_operations_count.value", + "type": "long" + }, + { + "description": "Delta count of changes made to object specific ACLs.", + "name": "object_specific_acl_mutation_count.value", + "type": "long" + } + ], + "name": "authz", + "type": "group" + }, + { + "fields": [ + { + "description": "Delta count of bytes received over the network, grouped by the API method name and response code.", + "name": "received_bytes_count.value", + "type": "long" + }, + { + "description": "Delta count of bytes sent over the network, grouped by the API method name and response code.", + "name": "sent_bytes_count.value", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "fields": [ + { + "description": "Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.", + "name": "object_count.value", + "type": "long" + }, + { + "description": "Delta count of bytes received over the network, grouped by the API method name and response code.", + "name": "total_byte_seconds.value", + "type": "long" + }, + { + "description": "Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.", + "name": "total_bytes.value", + "type": "long" + } + ], + "name": "storage", + "type": "group" + } + ], + "name": "storage", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "graphite": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "module": "graphite" + } + ], + "fields.yml": [ + { + "description": "graphite Module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "graphite", + "type": "group" + } + ], + "key": "graphite", + "release": "ga", + "title": "Graphite" + } + ] + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "server\n", + "fields": [ + { + "description": "Example field\n", + "name": "example", + "type": "keyword" + } + ], + "name": "server", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "haproxy": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "tcp://127.0.0.1:14567" + ], + "module": "haproxy", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "HAProxy Module\n", + "fields": [ + { + "description": "HAProxy metrics.\n", + "fields": null, + "name": "haproxy", + "type": "group" + } + ], + "key": "haproxy", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "HAProxy" + } + ] + } + }, + "info": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "General information about HAProxy processes.\n", + "fields": [ + { + "description": "Number of processes.\n", + "name": "processes", + "type": "long" + }, + { + "description": "Process number.\n", + "name": "process_num", + "type": "long" + }, + { + "description": "Number of threads.\n", + "name": "threads", + "type": "long" + }, + { + "description": "Process ID.\n", + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "description": "", + "name": "run_queue", + "type": "long" + }, + { + "description": "Number of stopping jobs.\n", + "name": "stopping", + "type": "long" + }, + { + "description": "Number of all jobs.\n", + "name": "jobs", + "type": "long" + }, + { + "description": "Number of unstoppable jobs.\n", + "name": "unstoppable_jobs", + "type": "long" + }, + { + "description": "Number of listeners.\n", + "name": "listeners", + "type": "long" + }, + { + "description": "Number of dropped logs.\n", + "name": "dropped_logs", + "type": "long" + }, + { + "description": "Number of busy polling.\n", + "name": "busy_polling", + "type": "long" + }, + { + "description": "Number of failed resolutions.\n", + "name": "failed_resolutions", + "type": "long" + }, + { + "description": "", + "name": "tasks", + "type": "long" + }, + { + "description": "Current uptime in seconds.\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes).\n", + "format": "bytes", + "name": "memory.max.bytes", + "type": "long" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Number of bytes sent out.\n", + "name": "total", + "type": "long" + }, + { + "description": "Average bytes output rate.\n", + "name": "rate", + "type": "long" + } + ], + "name": "out", + "type": "group" + } + ], + "name": "bytes", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of active peers.\n", + "name": "active", + "type": "long" + }, + { + "description": "Number of connected peers.\n", + "name": "connected", + "type": "long" + } + ], + "name": "peers", + "type": "group" + }, + { + "fields": [ + { + "description": "Size of the allocated pool.\n", + "name": "allocated", + "type": "long" + }, + { + "description": "Number of members used from the allocated pool.\n", + "name": "used", + "type": "long" + }, + { + "description": "Number of failed connections to pool members.\n", + "name": "failed", + "type": "long" + } + ], + "name": "pool", + "type": "group" + }, + { + "description": "Maximum number of open files for the process.\n", + "name": "ulimit_n", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "", + "name": "in", + "type": "long" + }, + { + "description": "", + "name": "out", + "type": "long" + }, + { + "description": "", + "name": "rate_limit", + "type": "long" + } + ], + "name": "bps", + "type": "group" + } + ], + "name": "compress", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "", + "name": "value", + "type": "long" + }, + { + "description": "", + "name": "limit", + "type": "long" + }, + { + "description": "", + "name": "max", + "type": "long" + } + ], + "name": "rate", + "type": "group" + }, + { + "description": "Current connections.\n", + "name": "current", + "type": "long" + }, + { + "description": "Total connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Current SSL connections.\n", + "name": "ssl.current", + "type": "long" + }, + { + "description": "Total SSL connections.\n", + "name": "ssl.total", + "type": "long" + }, + { + "description": "Maximum SSL connections.\n", + "name": "ssl.max", + "type": "long" + }, + { + "description": "Maximum connections.\n", + "name": "max", + "type": "long" + }, + { + "description": "", + "name": "hard_max", + "type": "long" + } + ], + "name": "connection", + "type": "group" + }, + { + "description": "", + "name": "requests.total", + "type": "long" + }, + { + "description": "", + "name": "sockets.max", + "type": "long" + }, + { + "description": "", + "name": "requests.max", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "used", + "type": "integer" + }, + { + "description": "", + "name": "free", + "type": "integer" + }, + { + "description": "", + "name": "max", + "type": "integer" + } + ], + "name": "pipes", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": "", + "name": "rate.value", + "type": "integer" + }, + { + "description": "", + "name": "rate.limit", + "type": "integer" + }, + { + "description": "", + "name": "rate.max", + "type": "integer" + } + ], + "name": "session", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "rate.value", + "type": "integer" + }, + { + "description": null, + "name": "rate.limit", + "type": "integer" + }, + { + "description": null, + "name": "rate.max", + "type": "integer" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "key_rate.value", + "type": "integer" + }, + { + "description": null, + "name": "key_rate.max", + "type": "integer" + }, + { + "description": null, + "format": "percent", + "name": "session_reuse.pct", + "type": "scaled_float" + } + ], + "name": "frontend", + "type": "group" + }, + { + "description": null, + "fields": [ + { + "description": null, + "name": "key_rate.value", + "type": "integer" + }, + { + "description": "MaxConnRate", + "name": "key_rate.max", + "type": "integer" + } + ], + "name": "backend", + "type": "group" + }, + { + "description": null, + "name": "cached_lookups", + "type": "long" + }, + { + "description": null, + "name": "cache_misses", + "type": "long" + } + ], + "name": "ssl", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "value", + "type": "integer" + }, + { + "description": "", + "name": "max", + "type": "integer" + } + ], + "name": "zlib_mem_usage", + "type": "group" + }, + { + "description": "", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + } + ], + "name": "info", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "stat": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Stats collected from HAProxy processes.\n", + "fields": [ + { + "description": "Status (UP, DOWN, NOLB, MAINT, or MAINT(via)...).\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Total weight (for backends), or server weight (for servers).\n", + "name": "weight", + "type": "long" + }, + { + "description": "Total downtime (in seconds). For backends, this value is the downtime for the whole backend, not the sum of the downtime for the servers.\n", + "name": "downtime", + "type": "long" + }, + { + "description": "Component type (0=frontend, 1=backend, 2=server, or 3=socket/listener).\n", + "name": "component_type", + "type": "integer" + }, + { + "description": "Process ID (0 for first instance, 1 for second, and so on).\n", + "migration": true, + "name": "process_id", + "path": "process.pid", + "type": "alias" + }, + { + "description": "Service name (FRONTEND for frontend, BACKEND for backend, or any name for server/listener).\n", + "name": "service_name", + "type": "keyword" + }, + { + "description": "Bytes in.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "Bytes out.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "Number of seconds since the last UP->DOWN or DOWN->UP transition.\n", + "name": "last_change", + "type": "integer" + }, + { + "description": "Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive.\n", + "format": "percent", + "name": "throttle.pct", + "type": "scaled_float" + }, + { + "description": "Total number of times a server was selected, either for new sessions, or when re-dispatching. For servers, this field reports the the number of times the server was selected.\n", + "name": "selected.total", + "type": "long" + }, + { + "description": "ID of the proxy/server if tracking is enabled.\n", + "name": "tracked.id", + "type": "long" + }, + { + "description": "Cookie value of the server or the name of the cookie of the backend.\n", + "name": "cookie", + "type": "keyword" + }, + { + "description": "Load balancing algorithm.\n", + "name": "load_balancing_algorithm", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Cumulative number of connections.\n", + "name": "total", + "type": "long" + }, + { + "description": "Number of times a connection to a server was retried.\n", + "name": "retried", + "type": "long" + }, + { + "description": "Average connect time in ms over the last 1024 requests.\n", + "name": "time.avg", + "type": "long" + }, + { + "description": "Number of connections over the last second.\n", + "name": "rate", + "type": "long" + }, + { + "description": "Highest value of connection.rate.\n", + "name": "rate_max", + "type": "long" + }, + { + "description": "Number of connection establishment attempts.\n", + "name": "attempt.total", + "type": "long" + }, + { + "description": "Number of connection reuses.\n", + "name": "reuse.total", + "type": "long" + }, + { + "fields": [ + { + "description": "Number of idle connections available for reuse.\n", + "name": "total", + "type": "long" + }, + { + "description": "Limit on idle connections available for reuse.\n", + "name": "limit", + "type": "long" + } + ], + "name": "idle", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of cache lookups.\n", + "name": "lookup.total", + "type": "long" + }, + { + "description": "Number of cache hits.\n", + "name": "hits", + "type": "long" + } + ], + "name": "cache", + "type": "group" + } + ], + "name": "connection", + "type": "group" + }, + { + "fields": [ + { + "description": "Requests denied because of security concerns.\n\n * For TCP this is because of a matched tcp-request content rule.\n * For HTTP this is because of a matched http-request or tarpit rule.\n", + "name": "denied", + "type": "long" + }, + { + "description": "Requests denied because of TCP request connection rules.\n", + "name": "denied_by_connection_rules", + "type": "long" + }, + { + "description": "Requests denied because of TCP request session rules.\n", + "name": "denied_by_session_rules", + "type": "long" + }, + { + "description": "Current queued requests. For backends, this field reports the number of requests queued without a server assigned.\n", + "name": "queued.current", + "type": "long" + }, + { + "description": "Maximum value of queued.current.\n", + "name": "queued.max", + "type": "long" + }, + { + "description": "Request errors. Some of the possible causes are:\n\n * early termination from the client, before the request has been sent\n * read error from the client\n * client timeout\n * client closed connection\n * various bad requests from the client.\n * request was tarpitted.\n", + "name": "errors", + "type": "long" + }, + { + "description": "Number of times a request was redispatched to another server. For servers, this field reports the number of times the server was switched away from.\n", + "name": "redispatched", + "type": "long" + }, + { + "description": "Number of requests that encountered an error trying to connect to a server. For backends, this field reports the sum of the stat for all backend servers, plus any connection errors not associated with a particular server (such as the backend having no active servers).\n", + "name": "connection.errors", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "Number of HTTP requests per second over the last elapsed second.\n", + "name": "value", + "type": "long" + }, + { + "description": "Maximum number of HTTP requests per second.\n", + "name": "max", + "type": "long" + } + ], + "name": "rate", + "type": "group" + }, + { + "description": "Total number of HTTP requests received.\n", + "name": "total", + "type": "long" + }, + { + "description": "Number of intercepted requests.\n", + "name": "intercepted", + "type": "long" + } + ], + "name": "request", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are:\n* write errors on the client socket (won't be counted for the server stat) * failure applying filters to the response\n", + "name": "errors", + "type": "long" + }, + { + "description": "Average response time in ms over the last 1024 requests (0 for TCP).\n", + "name": "time.avg", + "type": "long" + }, + { + "description": "Responses denied because of security concerns. For HTTP this is because of a matched http-request rule, or \"option checkcache\".\n", + "name": "denied", + "type": "integer" + }, + { + "description": "", + "fields": [ + { + "description": "HTTP responses with 1xx code.\n", + "name": "1xx", + "type": "long" + }, + { + "description": "HTTP responses with 2xx code.\n", + "name": "2xx", + "type": "long" + }, + { + "description": "HTTP responses with 3xx code.\n", + "name": "3xx", + "type": "long" + }, + { + "description": "HTTP responses with 4xx code.\n", + "name": "4xx", + "type": "long" + }, + { + "description": "HTTP responses with 5xx code.\n", + "name": "5xx", + "type": "long" + }, + { + "description": "HTTP responses with other codes (protocol error).\n", + "name": "other", + "type": "long" + } + ], + "name": "http", + "type": "group" + } + ], + "name": "response", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Number of failed header rewrite warnings.\n", + "name": "total", + "type": "long" + } + ], + "name": "failed", + "type": "group" + } + ], + "name": "rewrite", + "type": "group" + } + ], + "name": "header", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of current sessions.\n", + "name": "current", + "type": "long" + }, + { + "description": "Maximum number of sessions.\n", + "name": "max", + "type": "long" + }, + { + "description": "Configured session limit.\n", + "name": "limit", + "type": "long" + }, + { + "description": "Number of all sessions.\n", + "name": "total", + "type": "long" + }, + { + "fields": [ + { + "description": "Number of sessions per second over the last elapsed second.\n", + "name": "value", + "type": "integer" + }, + { + "description": "Configured limit on new sessions per second.\n", + "name": "limit", + "type": "integer" + }, + { + "description": "Maximum number of new sessions per second.\n", + "name": "max", + "type": "integer" + } + ], + "name": "rate", + "type": "group" + } + ], + "name": "session", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Status of the last health check. One of:\n\n UNK -> unknown\n INI -> initializing\n SOCKERR -> socket error\n L4OK -> check passed on layer 4, no upper layers testing enabled\n L4TOUT -> layer 1-4 timeout\n L4CON -> layer 1-4 connection problem, for example\n \"Connection refused\" (tcp rst) or \"No route to host\" (icmp)\n L6OK -> check passed on layer 6\n L6TOUT -> layer 6 (SSL) timeout\n L6RSP -> layer 6 invalid response - protocol error\n L7OK -> check passed on layer 7\n L7OKC -> check conditionally passed on layer 7, for example 404 with\n disable-on-404\n L7TOUT -> layer 7 (HTTP/SMTP) timeout\n L7RSP -> layer 7 invalid response - protocol error\n L7STS -> layer 7 response error, for example HTTP 5xx\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Layer 5-7 code, if available.\n", + "name": "code", + "type": "long" + }, + { + "description": "Time in ms that it took to finish the last health check.\n", + "name": "duration", + "type": "long" + }, + { + "description": "The result of the last health check.\n", + "name": "health.last", + "type": "keyword" + }, + { + "description": "Number of failed checks.\n", + "name": "health.fail", + "type": "long" + }, + { + "description": "", + "name": "agent.last", + "type": "integer" + }, + { + "description": "Number of checks that failed while the server was up.\n", + "name": "failed", + "type": "long" + }, + { + "description": "Number of UP->DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server.\n", + "name": "down", + "type": "long" + } + ], + "name": "check", + "type": "group" + }, + { + "description": "Number of data transfers aborted by the client.\n", + "name": "client.aborted", + "type": "integer" + }, + { + "description": "", + "fields": [ + { + "description": "Server ID (unique inside a proxy).\n", + "name": "id", + "type": "integer" + }, + { + "description": "Number of data transfers aborted by the server. This value is included in haproxy.stat.response.errors.\n", + "name": "aborted", + "type": "integer" + }, + { + "description": "Number of backend servers that are active, meaning that they are healthy and can receive requests from the load balancer.\n", + "name": "active", + "type": "integer" + }, + { + "description": "Number of backend servers that are backup servers.\n", + "name": "backup", + "type": "integer" + } + ], + "name": "server", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Number of HTTP response bytes fed to the compressor.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "Number of HTTP response bytes emitted by the compressor.\n", + "format": "bytes", + "name": "out.bytes", + "type": "integer" + }, + { + "description": "Number of bytes that bypassed the HTTP compressor (CPU/BW limit).\n", + "format": "bytes", + "name": "bypassed.bytes", + "type": "long" + }, + { + "description": "Number of HTTP responses that were compressed.\n", + "format": "bytes", + "name": "response.bytes", + "type": "long" + } + ], + "name": "compressor", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Unique proxy ID.\n", + "name": "id", + "type": "integer" + }, + { + "description": "Proxy name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Proxy mode (tcp, http, health, unknown).\n", + "name": "mode", + "type": "keyword" + } + ], + "name": "proxy", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit).\n", + "name": "limit", + "type": "integer" + }, + { + "description": "The average queue time in ms over the last 1024 requests.\n", + "name": "time.avg", + "type": "integer" + } + ], + "name": "queue", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "Status of the last health check. One of:\n\n UNK -> unknown\n INI -> initializing\n SOCKERR -> socket error\n L4OK -> check passed on layer 4, no upper layers enabled\n L4TOUT -> layer 1-4 timeout\n L4CON -> layer 1-4 connection problem, for example\n \"Connection refused\" (tcp rst) or \"No route to host\" (icmp)\n L7OK -> agent reported \"up\"\n L7STS -> agent reported \"fail\", \"stop\" or \"down\"\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Human readable version of agent.status.\n", + "name": "description", + "type": "keyword" + }, + { + "description": "Value reported by agent.\n", + "name": "code", + "type": "integer" + }, + { + "description": "Rise value of agent.\n", + "name": "rise", + "type": "integer" + }, + { + "description": "Fall value of agent.\n", + "name": "fall", + "type": "integer" + }, + { + "description": "Health parameter of agent. Between 0 and `agent.rise`+`agent.fall`-1.\n", + "name": "health", + "type": "integer" + }, + { + "description": "Duration of the last check in ms.\n", + "name": "duration", + "type": "integer" + }, + { + "fields": [ + { + "description": "Rise value of server.\n", + "name": "rise", + "type": "integer" + }, + { + "description": "Fall value of server.\n", + "name": "fall", + "type": "integer" + }, + { + "description": "Health parameter of server. Between 0 and `agent.check.rise`+`agent.check.fall`-1.\n", + "name": "health", + "type": "integer" + }, + { + "description": "Human readable version of check.\n", + "name": "description", + "type": "keyword" + } + ], + "name": "check", + "type": "group" + } + ], + "name": "agent", + "type": "group" + }, + { + "fields": [ + { + "description": "Address of the source.\n", + "name": "address", + "type": "text" + } + ], + "name": "source", + "type": "group" + } + ], + "name": "stat", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "http": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:80" + ], + "module": "http", + "namespace": "json_namespace", + "path": "/", + "period": "10s" + }, + { + "enabled": false, + "host": "localhost", + "module": "http", + "port": "8080" + } + ], + "fields.yml": [ + { + "description": "HTTP module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "HTTP request information\n", + "fields": [ + { + "description": "The HTTP headers sent\n", + "name": "headers", + "type": "object" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "HTTP response information\n", + "fields": [ + { + "description": "The HTTP headers received\n", + "name": "headers", + "type": "object" + }, + { + "description": "The HTTP status code\n", + "example": 404, + "name": "code", + "type": "keyword" + }, + { + "description": "The HTTP status phrase\n", + "example": "Not found", + "name": "phrase", + "type": "keyword" + } + ], + "name": "response", + "type": "group" + } + ], + "name": "http", + "type": "group" + } + ], + "key": "http", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "title": "HTTP" + } + ] + } + }, + "json": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "json metricset\n", + "fields": null, + "name": "json", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "test": { + "files": { + "config.yml": { + "logging.level": "debug", + "logging.selectors": [ + "*" + ], + "metricbeat.modules": [ + { + "enabled": true, + "headers": { + "Accept": "application/json" + }, + "hosts": [ + "http://date.jsontest.com" + ], + "json.is_array": false, + "metricsets": [ + "json" + ], + "module": "http", + "namespace": "http_json_namespace", + "period": "10s", + "request.enabled": true, + "response.enabled": true + } + ], + "output.elasticsearch": { + "hosts": [ + "localhost:9200" + ] + }, + "output.file": { + "enabled": true, + "path": "/tmp/httpmetric" + } + } + } + }, + "testdata": { + "files": { + "config.yml": { + "module": { + "namespace": "test" + }, + "omit_documented_fields_check": [ + "http.test.*" + ], + "type": "http", + "url": "/" + } + } + } + } + } + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "server\n", + "fields": null, + "name": "server", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "ibmmq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9157" + ], + "metrics_path": "/metrics", + "metricsets": [ + "qmgr" + ], + "module": "ibmmq", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "IBM MQ module\n", + "fields": [ + { + "fields": null, + "name": "ibmmq", + "type": "group" + } + ], + "key": "ibmmq", + "release": "beta", + "settings": [ + "http" + ], + "title": "IBM MQ" + } + ] + } + }, + "qmgr": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "beta" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "prometheus.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + } + } + }, + "iis": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": true, + "metricsets": [ + "webserver", + "website", + "application_pool" + ], + "module": "iis", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "iis module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "iis", + "type": "group" + } + ], + "key": "iis", + "release": "beta", + "title": "IIS" + } + ] + } + }, + "application_pool": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "application_pool\n", + "fields": [ + { + "description": "application pool name\n", + "name": "name", + "type": "keyword" + } + ], + "name": "application_pool", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "webserver": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "webserver\n", + "name": "webserver.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "beta", + "type": "object" + } + ] + } + } + } + }, + "website": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "website\n", + "fields": [ + { + "description": "website name\n", + "name": "name", + "type": "keyword" + } + ], + "name": "website.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "release": "beta", + "type": "object" + } + ] + } + } + } + } + } + }, + "istio": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:42422" + ], + "metricsets": [ + "mesh" + ], + "module": "istio", + "period": "10s" + }, + { + "hosts": [ + "localhost:15014" + ], + "metricsets": [ + "mixer" + ], + "module": "istio", + "period": "10s" + }, + { + "hosts": [ + "localhost:15014" + ], + "metricsets": [ + "galley" + ], + "module": "istio", + "period": "10s" + }, + { + "hosts": [ + "localhost:15014" + ], + "metricsets": [ + "pilot" + ], + "module": "istio", + "period": "10s" + }, + { + "hosts": [ + "localhost:15014" + ], + "metricsets": [ + "citadel" + ], + "module": "istio", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "istio Module\n", + "fields": [ + { + "description": "`istio` contains statistics that were read from Istio\n", + "fields": null, + "name": "istio", + "type": "group" + } + ], + "key": "istio", + "release": "beta", + "title": "Istio" + } + ] + } + }, + "citadel": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the Istio Citadel service\n", + "fields": [ + { + "description": "The grpc method\n", + "name": "grpc.method", + "type": "keyword" + }, + { + "description": "The grpc service\n", + "name": "grpc.service", + "type": "keyword" + }, + { + "description": "The type of the respective grpc service\n", + "name": "grpc.type", + "type": "keyword" + }, + { + "description": "The number of certificates created due to service account creation.\n", + "name": "secret_controller_svc_acc_created_cert.count", + "type": "long" + }, + { + "description": "The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.\n", + "name": "server_root_cert_expiry_seconds", + "type": "float" + }, + { + "description": "Total number of RPCs completed on the server, regardless of success or failure.\n", + "name": "grpc.server.handled", + "type": "long" + }, + { + "description": "Total number of RPC stream messages received on the server.\n", + "name": "grpc.server.msg.received", + "type": "long" + }, + { + "description": "Total number of gRPC stream messages sent by the server.\n", + "name": "grpc.server.msg.sent", + "type": "long" + }, + { + "description": "Total number of RPCs started on the server.\n", + "name": "grpc.server.started", + "type": "long" + }, + { + "description": "The response latency (milliseconds) of gRPC that had been application-level handled by the server.\n", + "name": "grpc.server.handling.latency.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "The response latency of gRPC, sum of latencies in milliseconds\n", + "format": "duration", + "name": "grpc.server.handling.latency.ms.sum", + "type": "long" + }, + { + "description": "The response latency of gRPC, number of metrics\n", + "name": "grpc.server.handling.latency.ms.count", + "type": "long" + } + ], + "name": "citadel", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "galley": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the Istio galley service\n", + "fields": [ + { + "description": "The name of the resource the metric is related to\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The Kubernetes namespace of the resource\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "The version of the object\n", + "name": "version", + "type": "keyword" + }, + { + "description": "The collection of the instance\n", + "name": "collection", + "type": "keyword" + }, + { + "description": "The number of valid istio/authentication/meshpolicies known to galley at a point in time\n", + "name": "istio.authentication.meshpolicies", + "type": "long" + }, + { + "description": "The number of valid istio/authentication/policies known to galley at a point in time\n", + "name": "istio.authentication.policies", + "type": "long" + }, + { + "description": "The number of valid istio/mesh/MeshConfig known to galley at a point in time\n", + "name": "istio.mesh.MeshConfig", + "type": "long" + }, + { + "description": "The number of valid istio/networking/destinationrules known to galley at a point in time\n", + "name": "istio.networking.destinationrules", + "type": "long" + }, + { + "description": "The number of valid istio/networking/envoyfilters known to galley at a point in time\n", + "name": "istio.networking.envoyfilters", + "type": "long" + }, + { + "description": "The number of valid istio/networking/gateways known to galley at a point in time\n", + "name": "istio.networking.gateways", + "type": "long" + }, + { + "description": "The number of valid istio/networking/sidecars known to galley at a point in time\n", + "name": "istio.networking.sidecars", + "type": "long" + }, + { + "description": "The number of valid istio/networking/virtualservices known to galley at a point in time\n", + "name": "istio.networking.virtualservices", + "type": "long" + }, + { + "description": "The number of valid istio/policy/attributemanifests known to galley at a point in time\n", + "name": "istio.policy.attributemanifests", + "type": "long" + }, + { + "description": "The number of valid istio/policy/handlers known to galley at a point in time\n", + "name": "istio.policy.handlers", + "type": "long" + }, + { + "description": "The number of valid istio/policy/instances known to galley at a point in time\n", + "name": "istio.policy.instances", + "type": "long" + }, + { + "description": "The number of valid istio/policy/rules known to galley at a point in time\n", + "name": "istio.policy.rules", + "type": "long" + }, + { + "description": "The duration between each incoming event as histogram buckets in milliseconds\n", + "name": "runtime.processor.event_span.duration.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "The duration between each incoming event, sum of durations in milliseconds\n", + "format": "duration", + "name": "runtime.processor.event_span.duration.ms.sum", + "type": "long" + }, + { + "description": "The duration between each incoming event, number of metrics\n", + "name": "runtime.processor.event_span.duration.ms.count", + "type": "long" + }, + { + "description": "The number of events that have been processed as histogram buckets\n", + "name": "runtime.processor.snapshot_events.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "The number of events that have been processed, sum of events\n", + "name": "runtime.processor.snapshot_events.sum", + "type": "long" + }, + { + "description": "The duration between each incoming event, number of metrics\n", + "name": "runtime.processor.snapshot_events.count", + "type": "long" + }, + { + "description": "The duration of each snapshot as histogram buckets in milliseconds\n", + "name": "runtime.processor.snapshot_lifetime.duration.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "The duration of each snapshot, sum of durations in milliseconds\n", + "format": "duration", + "name": "runtime.processor.snapshot_lifetime.duration.ms.sum", + "type": "long" + }, + { + "description": "The duration of each snapshot, number of metrics\n", + "name": "runtime.processor.snapshot_lifetime.duration.ms.count", + "type": "long" + }, + { + "description": "The number of type instances per type URL\n", + "name": "runtime.state_type_instances", + "type": "long" + }, + { + "description": "The number of times the strategy's onChange has been called\n", + "name": "runtime.strategy.on_change", + "type": "long" + }, + { + "description": "The number of times a quiesce has been reached\n", + "name": "runtime.strategy.timer_quiesce_reached", + "type": "long" + }, + { + "description": "The number of times a kubernetes source successfully handled an event\n", + "name": "source_kube_event_success_total", + "type": "long" + }, + { + "description": "Galley validation webhook certificate updates\n", + "name": "validation.cert_key.updates", + "type": "long" + }, + { + "description": "k8s webhook configuration (re)loads\n", + "name": "validation.config.load", + "type": "long" + }, + { + "description": "k8s webhook configuration updates\n", + "name": "validation.config.updates", + "type": "long" + } + ], + "name": "galley", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "mesh": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the Istio mesh service\n", + "fields": [ + { + "description": "The prometheus instance\n", + "name": "instance", + "type": "text" + }, + { + "description": "The prometheus job\n", + "name": "job", + "type": "keyword" + }, + { + "description": "Total requests handled by an Istio proxy\n", + "name": "requests", + "type": "long" + }, + { + "description": "Request duration histogram buckets in milliseconds\n", + "name": "request.duration.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Requests duration, sum of durations in milliseconds\n", + "format": "duration", + "name": "request.duration.ms.sum", + "type": "long" + }, + { + "description": "Requests duration, number of requests\n", + "name": "request.duration.ms.count", + "type": "long" + }, + { + "description": "Request Size histogram buckets\n", + "name": "request.size.bytes.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request Size histogram sum\n", + "name": "request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request Size histogram count\n", + "name": "request.size.bytes.count", + "type": "long" + }, + { + "description": "Request Size histogram buckets\n", + "name": "response.size.bytes.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request Size histogram sum\n", + "name": "response.size.bytes.sum", + "type": "long" + }, + { + "description": "Request Size histogram count\n", + "name": "response.size.bytes.count", + "type": "long" + }, + { + "description": "Reporter identifies the reporter of the request. It is set to destination if report is from a server Istio proxy and source if report is from a client Istio proxy.\n", + "name": "reporter", + "type": "keyword" + }, + { + "description": "This identifies the name of source workload which controls the source.\n", + "name": "source.workload.name", + "type": "keyword" + }, + { + "description": "This identifies the namespace of the source workload.\n", + "name": "source.workload.namespace", + "type": "keyword" + }, + { + "description": "This identifies the peer principal of the traffic source. It is set when peer authentication is used.\n", + "name": "source.principal", + "type": "keyword" + }, + { + "description": "This identifies the source app based on app label of the source workload.\n", + "name": "source.app", + "type": "keyword" + }, + { + "description": "This identifies the version of the source workload.\n", + "name": "source.version", + "type": "keyword" + }, + { + "description": "This identifies the name of destination workload.\n", + "name": "destination.workload.name", + "type": "keyword" + }, + { + "description": "This identifies the namespace of the destination workload.\n", + "name": "destination.workload.namespace", + "type": "keyword" + }, + { + "description": "This identifies the peer principal of the traffic destination. It is set when peer authentication is used.\n", + "name": "destination.principal", + "type": "keyword" + }, + { + "description": "This identifies the destination app based on app label of the destination workload..\n", + "name": "destination.app", + "type": "keyword" + }, + { + "description": "This identifies the version of the destination workload.\n", + "name": "destination.version", + "type": "keyword" + }, + { + "description": "This identifies destination service host responsible for an incoming request.\n", + "name": "destination.service.host", + "type": "keyword" + }, + { + "description": "This identifies the destination service name.\n", + "name": "destination.service.name", + "type": "keyword" + }, + { + "description": "This identifies the namespace of destination service.\n", + "name": "destination.service.namespace", + "type": "keyword" + }, + { + "description": "This identifies the protocol of the request. It is set to API protocol if provided, otherwise request or connection protocol.\n", + "name": "request.protocol", + "type": "keyword" + }, + { + "description": "This identifies the response code of the request. This label is present only on HTTP metrics.\n", + "name": "response.code", + "type": "long" + }, + { + "description": "This identifies the service authentication policy of the request. It is set to mutual_tls when Istio is used to make communication secure and report is from destination. It is set to unknown when report is from source since security policy cannot be properly populated.\n", + "name": "connection.security.policy", + "type": "keyword" + } + ], + "name": "mesh", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "mixer": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the Istio mixer service\n", + "fields": [ + { + "description": "The number of request acks received by the source.\n", + "name": "istio.mcp.request.acks", + "type": "long" + }, + { + "description": "The number of errors encountered during processing of the adapter info configuration.\n", + "name": "config.adapter.info.errors.config", + "type": "long" + }, + { + "description": "The number of known adapters in the current config.\n", + "name": "config.adapter.info.configs", + "type": "long" + }, + { + "description": "The number of known attributes in the current config.\n", + "name": "config.attributes", + "type": "long" + }, + { + "description": "The number of known handlers in the current config.\n", + "name": "config.handler.configs", + "type": "long" + }, + { + "description": "The number of errors encountered because handler validation returned error.\n", + "name": "config.handler.errors.validation", + "type": "long" + }, + { + "description": "The number of errors encountered during processing of the instance configuration.\n", + "name": "config.instance.errors.config", + "type": "long" + }, + { + "description": "The number of known instances in the current config.\n", + "name": "config.instance.configs", + "type": "long" + }, + { + "description": "The number of errors encountered during processing of the rule configuration.\n", + "name": "config.rule.errors.config", + "type": "long" + }, + { + "description": "The number of rule conditions that was not parseable.\n", + "name": "config.rule.errors.match", + "type": "long" + }, + { + "description": "The number of known rules in the current config.\n", + "name": "config.rule.configs", + "type": "long" + }, + { + "description": "The number of errors encountered during processing of the template configuration.\n", + "name": "config.template.errors.config", + "type": "long" + }, + { + "description": "The number of known templates in the current config.\n", + "name": "config.template.configs", + "type": "long" + }, + { + "description": "The number of actions that failed due to handlers being unavailable.\n", + "name": "config.unsatisfied.action_handler", + "type": "long" + }, + { + "description": "The number of Mixer adapter destinations by template variety type.\n", + "name": "dispatcher_destinations_per_variety_total", + "type": "long" + }, + { + "description": "The number of handlers that were closed during config transition.\n", + "name": "handler.handlers.closed", + "type": "long" + }, + { + "description": "The current number of active daemon routines in a given adapter environment.\n", + "name": "handler.daemons", + "type": "long" + }, + { + "description": "The number of handlers that failed creation during config transition.\n", + "name": "handler.failures.build", + "type": "long" + }, + { + "description": "The number of errors encountered while closing handlers during config transition.\n", + "name": "handler.failures.close", + "type": "long" + }, + { + "description": "The number of handlers that were newly created during config transition.\n", + "name": "handler.handlers.new", + "type": "long" + }, + { + "description": "The number of handlers that were re-used during config transition.\n", + "name": "handler.handlers.reused", + "type": "long" + }, + { + "description": "The name of the daemon handler\n", + "name": "handler.name", + "type": "keyword" + }, + { + "description": "The name of the variety\n", + "name": "variety", + "type": "keyword" + } + ], + "name": "mixer", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "pilot": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains statistics related to the Istio pilot service\n", + "fields": [ + { + "description": "Count of concurrent xDS client connections for Pilot.\n", + "name": "xds.count", + "type": "long" + }, + { + "description": "Count of xDS messages sent, as well as errors building or sending xDS messages for lds, rds, cds and eds.\n", + "name": "xds.pushes", + "type": "long" + }, + { + "description": "Total time Pilot takes to push lds, rds, cds and eds, histogram buckets in milliseconds.\n", + "name": "xds.push.time.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Total time Pilot takes to push lds, rds, cds and eds, histogram sum of times in milliseconds.\n", + "name": "xds.push.time.ms.sum", + "type": "long" + }, + { + "description": "Total time Pilot takes to push lds, rds, cds and eds, histogram count of times.\n", + "name": "xds.push.time.ms.count", + "type": "long" + }, + { + "description": "Instances for each cluster, as of last push. Zero instances is an error.\n", + "name": "xds.eds.instances", + "type": "long" + }, + { + "description": "Number of errors (timeouts) initiating push context.\n", + "name": "xds.push.context.errors", + "type": "long" + }, + { + "description": "Total number of internal XDS errors in pilot.\n", + "name": "xds.internal.errors", + "type": "long" + }, + { + "description": "Number of conflicting inbound listeners.\n", + "name": "conflict.listener.inbound", + "type": "long" + }, + { + "description": "Number of conflicting wildcard http listeners with current wildcard tcp listener.\n", + "name": "conflict.listener.outbound.http.over.current.tcp", + "type": "long" + }, + { + "description": "Number of conflicting HTTP listeners with well known HTTPS ports.\n", + "name": "conflict.listener.outbound.http.over.https", + "type": "long" + }, + { + "description": "Number of conflicting wildcard tcp listeners with current wildcard http listener.\n", + "name": "conflict.listener.outbound.tcp.over.current.http", + "type": "long" + }, + { + "description": "Number of conflicting tcp listeners with current tcp listener.\n", + "name": "conflict.listener.outbound.tcp.over.current.tcp", + "type": "long" + }, + { + "description": "Time needed by Pilot to push Envoy configurations, histogram buckets in milliseconds.\n", + "name": "proxy.conv.ms.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Time needed by Pilot to push Envoy configurations, histogram sum of times in milliseconds.\n", + "name": "proxy.conv.ms.sum", + "type": "long" + }, + { + "description": "Time needed by Pilot to push Envoy configurations, histogram count of times.\n", + "name": "proxy.conv.ms.count", + "type": "long" + }, + { + "description": "Total services known to pilot.\n", + "name": "services", + "type": "integer" + }, + { + "description": "Total virtual services known to pilot.\n", + "name": "virt.services", + "type": "long" + }, + { + "description": "Pods not found in the endpoint table, possibly invalid.\n", + "name": "no.ip", + "type": "long" + }, + { + "description": "The instance FQDN.\n", + "name": "cluster", + "type": "text" + }, + { + "description": "The Envoy proxy configuration type.\n", + "name": "type", + "type": "text" + } + ], + "name": "pilot", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + } + } + }, + "jolokia": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost" + ], + "jmx.application": null, + "jmx.instance": null, + "jmx.mappings": null, + "module": "jolokia", + "namespace": "metrics", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Jolokia module\n", + "fields": [ + { + "description": "jolokia contains metrics exposed via jolokia agent\n", + "fields": null, + "name": "jolokia", + "type": "group" + } + ], + "key": "jolokia", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Jolokia" + } + ] + } + }, + "jmx": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Jolokia jmx metricset\n", + "fields": null, + "key": "jmx", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "test": { + "files": { + "config.yml": { + "metricbeat.modules": [ + { + "enabled": true, + "hosts": [ + "localhost:4008" + ], + "jmx.mappings": [ + { + "attributes": [ + { + "attr": "Uptime", + "field": "uptime" + } + ], + "mbean": "java.lang:type=Runtime" + }, + { + "attributes": [ + { + "attr": "CollectionTime", + "field": "gc.cms_collection_time" + }, + { + "attr": "CollectionCount", + "field": "gc.cms_collection_count" + } + ], + "mbean": "java.lang:type=GarbageCollector,name=ConcurrentMarkSweep" + }, + { + "attributes": [ + { + "attr": "HeapMemoryUsage", + "field": "memory.heap_usage" + }, + { + "attr": "NonHeapMemoryUsage", + "field": "memory.non_heap_usage" + } + ], + "mbean": "java.lang:type=Memory" + } + ], + "metricsets": [ + "jmx" + ], + "module": "jolokia", + "namespace": "jolokia_metrics", + "period": "10s" + }, + { + "enabled": true, + "hosts": [ + "localhost:4002" + ], + "jmx.mappings": [ + { + "attributes": [ + { + "attr": "OneMinuteRate", + "field": "client_request.read_latency_one_min_rate" + }, + { + "attr": "Count", + "field": "client_request.read_latency" + } + ], + "mbean": "org.apache.cassandra.metrics:type=ClientRequest,scope=Read,name=Latency" + }, + { + "attributes": [ + { + "attr": "OneMinuteRate", + "field": "client_request.write_latency_one_min_rate" + }, + { + "attr": "Count", + "field": "client_request.write_latency" + } + ], + "mbean": "org.apache.cassandra.metrics:type=ClientRequest,scope=Write,name=Latency" + }, + { + "attributes": [ + { + "attr": "Value", + "field": "compaction.completed_tasks" + } + ], + "mbean": "org.apache.cassandra.metrics:type=Compaction,name=CompletedTasks" + }, + { + "attributes": [ + { + "attr": "Value", + "field": "compaction.pending_tasks" + } + ], + "mbean": "org.apache.cassandra.metrics:type=Compaction,name=PendingTasks" + } + ], + "metricsets": [ + "jmx" + ], + "module": "jolokia", + "namespace": "jolokia_metrics", + "period": "10s" + }, + { + "enabled": true, + "hosts": [ + "localhost:4004" + ], + "jmx.mappings": [ + { + "attributes": [ + { + "attr": "serverInfo", + "field": "server_info" + } + ], + "mbean": "Catalina:type=Server", + "target": { + "password": "QED", + "url": "service:jmx:rmi:///jndi/rmi://jolokia:7091/jmxrmi", + "user": "monitorRole" + } + } + ], + "metricsets": [ + "jmx" + ], + "module": "jolokia", + "namespace": "jolokia_metrics", + "period": "10s" + } + ], + "output.elasticsearch": { + "hosts": [ + "localhost:9200" + ] + } + } + } + } + } + } + } + } + } + }, + "kafka": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9092" + ], + "module": "kafka", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Kafka module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Broker Consumer Group Information have been read from (Broker handling the consumer group).\n", + "fields": [ + { + "description": "Broker id\n", + "name": "id", + "type": "long" + }, + { + "description": "Broker advertised address\n", + "name": "address", + "type": "keyword" + } + ], + "name": "broker", + "type": "group" + }, + { + "description": "Topic name\n", + "name": "topic.name", + "type": "keyword" + }, + { + "description": "Topic error code.\n", + "name": "topic.error.code", + "type": "long" + }, + { + "description": "Partition id.\n", + "name": "partition.id", + "type": "long" + }, + { + "description": "Unique id of the partition in the topic.", + "name": "partition.topic_id", + "type": "keyword" + }, + { + "description": "Unique id of the partition in the topic and the broker.", + "name": "partition.topic_broker_id", + "type": "keyword" + } + ], + "name": "kafka", + "type": "group" + } + ], + "key": "kafka", + "release": "ga", + "short_config": false, + "title": "Kafka" + } + ] + } + }, + "broker": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Broker metrics from Kafka Broker JMX", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "The size of the request queue", + "name": "request.channel.queue.size", + "type": "long" + }, + { + "description": "The rate of failed produce requests per second", + "name": "request.produce.failed_per_second", + "type": "float" + }, + { + "description": "The rate of client fetch request failures per second", + "name": "request.fetch.failed_per_second", + "type": "float" + }, + { + "description": "The number of failed produce requests", + "name": "request.produce.failed", + "type": "float" + }, + { + "description": "The number of client fetch request failures", + "name": "request.fetch.failed", + "type": "float" + }, + { + "description": "The leader election rate", + "name": "replication.leader_elections", + "type": "float" + }, + { + "description": "The unclean leader election rate", + "name": "replication.unclean_leader_elections", + "type": "float" + }, + { + "description": "The ZooKeeper closed sessions per second", + "name": "session.zookeeper.disconnect", + "type": "float" + }, + { + "description": "The ZooKeeper expired sessions per second", + "name": "session.zookeeper.expire", + "type": "float" + }, + { + "description": "The ZooKeeper readonly sessions per second", + "name": "session.zookeeper.readonly", + "type": "float" + }, + { + "description": "The ZooKeeper client connections per second", + "name": "session.zookeeper.sync", + "type": "float" + }, + { + "description": "The log flush rate", + "name": "log.flush_rate", + "type": "float" + }, + { + "description": "The incoming byte rate per topic", + "name": "topic.net.in.bytes_per_sec", + "type": "float" + }, + { + "description": "The outgoing byte rate per topic", + "name": "topic.net.out.bytes_per_sec", + "type": "float" + }, + { + "description": "The rejected byte rate per topic", + "name": "topic.net.rejected.bytes_per_sec", + "type": "float" + }, + { + "description": "The incoming message rate per topic", + "name": "topic.messages_in", + "type": "float" + }, + { + "description": "The incoming byte rate", + "name": "net.in.bytes_per_sec", + "type": "float" + }, + { + "description": "The outgoing byte rate", + "name": "net.out.bytes_per_sec", + "type": "float" + }, + { + "description": "The rejected byte rate", + "name": "net.rejected.bytes_per_sec", + "type": "float" + }, + { + "description": "The incoming message rate", + "name": "messages_in", + "type": "float" + } + ], + "name": "broker", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "consumer": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Consumer metrics from Kafka Consumer JMX", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "The minimum rate at which the consumer sends fetch requests to a broker", + "name": "fetch_rate", + "type": "float" + }, + { + "description": "The average number of bytes consumed for a specific topic per second", + "name": "bytes_consumed", + "type": "float" + }, + { + "description": "The average number of records consumed per second for a specific topic", + "name": "records_consumed", + "type": "float" + }, + { + "description": "The rate of bytes coming in to the consumer", + "name": "in.bytes_per_sec", + "type": "float" + }, + { + "description": "The maximum consumer lag", + "name": "max_lag", + "type": "float" + }, + { + "description": "The rate of offset commits to ZooKeeper", + "name": "zookeeper_commits", + "type": "float" + }, + { + "description": "The rate of offset commits to Kafka", + "name": "kafka_commits", + "type": "float" + }, + { + "description": "The rate of consumer message consumption", + "name": "messages_in", + "type": "float" + } + ], + "name": "consumer", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "consumergroup": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "consumergroup\n", + "fields": [ + { + "deprecated": 6.5, + "description": "Broker Consumer Group Information have been read from (Broker handling the consumer group).\n", + "fields": [ + { + "description": "Broker id\n", + "name": "id", + "type": "long" + }, + { + "description": "Broker address\n", + "name": "address", + "type": "keyword" + } + ], + "name": "broker", + "type": "group" + }, + { + "description": "Consumer Group ID", + "name": "id", + "type": "keyword" + }, + { + "deprecated": 6.5, + "description": "Topic name", + "name": "topic", + "type": "keyword" + }, + { + "deprecated": 6.5, + "description": "Partition ID", + "name": "partition", + "type": "long" + }, + { + "description": "consumer offset into partition being read", + "name": "offset", + "type": "long" + }, + { + "description": "custom consumer meta data string", + "name": "meta", + "type": "keyword" + }, + { + "description": "consumer lag for partition/topic calculated as the difference between the partition offset and consumer offset", + "name": "consumer_lag", + "type": "long" + }, + { + "description": "kafka consumer/partition error code.\n", + "name": "error.code", + "type": "long" + }, + { + "description": "Assigned client reading events from partition\n", + "fields": [ + { + "description": "Client ID (kafka setting client.id)", + "name": "id", + "type": "keyword" + }, + { + "description": "Client host", + "name": "host", + "type": "keyword" + }, + { + "description": "internal consumer group member ID", + "name": "member_id", + "type": "keyword" + } + ], + "name": "client", + "type": "group" + } + ], + "name": "consumergroup", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "partition": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "partition\n", + "fields": [ + { + "description": "Available offsets of the given partition.\n", + "fields": [ + { + "description": "Newest offset of the partition.\n", + "name": "newest", + "type": "long" + }, + { + "description": "Oldest offset of the partition.\n", + "name": "oldest", + "type": "long" + } + ], + "name": "offset", + "type": "group" + }, + { + "description": "Partition data.\n", + "fields": [ + { + "deprecated": 6.5, + "description": "Partition id.\n", + "name": "id", + "type": "long" + }, + { + "description": "Leader id (broker).\n", + "name": "leader", + "type": "long" + }, + { + "description": "List of isr ids.\n", + "name": "isr", + "type": "keyword" + }, + { + "description": "Replica id (broker).\n", + "name": "replica", + "type": "long" + }, + { + "description": "Indicates if replica is included in the in-sync replicate set (ISR).\n", + "name": "insync_replica", + "type": "boolean" + }, + { + "description": "Indicates if replica is the leader\n", + "name": "is_leader", + "type": "boolean" + }, + { + "description": "Error code from fetching partition.\n", + "name": "error.code", + "type": "long" + } + ], + "name": "partition", + "type": "group" + }, + { + "deprecated": 6.5, + "description": "topic error code.\n", + "name": "topic.error.code", + "type": "long" + }, + { + "deprecated": 6.5, + "description": "Topic name\n", + "name": "topic.name", + "type": "keyword" + }, + { + "deprecated": 6.5, + "description": "Broker id\n", + "name": "broker.id", + "type": "long" + }, + { + "deprecated": 6.5, + "description": "Broker address\n", + "name": "broker.address", + "type": "keyword" + } + ], + "name": "partition", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "producer": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Producer metrics from Kafka Producer JMX", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "The total amount of buffer memory", + "name": "available_buffer_bytes", + "type": "float" + }, + { + "description": "The average number of bytes sent", + "name": "batch_size_avg", + "type": "float" + }, + { + "description": "The maximum number of bytes sent", + "name": "batch_size_max", + "type": "long" + }, + { + "description": "The average number of records sent per second", + "name": "record_send_rate", + "type": "float" + }, + { + "description": "The average number of retried record sends per second", + "name": "record_retry_rate", + "type": "float" + }, + { + "description": "The average number of retried record sends per second", + "name": "record_error_rate", + "type": "float" + }, + { + "description": "The average number of records sent per second", + "name": "records_per_request", + "type": "float" + }, + { + "description": "The average record size", + "name": "record_size_avg", + "type": "float" + }, + { + "description": "The maximum record size", + "name": "record_size_max", + "type": "long" + }, + { + "description": "The number of producer requests per second", + "name": "request_rate", + "type": "float" + }, + { + "description": "The number of producer responses per second", + "name": "response_rate", + "type": "float" + }, + { + "description": "The producer I/O wait time", + "name": "io_wait", + "type": "float" + }, + { + "description": "The rate of bytes going out for the producer", + "name": "out.bytes_per_sec", + "type": "float" + }, + { + "description": "The producer message rate", + "name": "message_rate", + "type": "float" + } + ], + "name": "producer", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "kibana": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:5601" + ], + "module": "kibana", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Kibana module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "kibana", + "type": "group" + } + ], + "key": "kibana", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Kibana" + } + ] + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kibana stats and run-time metrics.\n", + "fields": [ + { + "description": "Kibana instance UUID\n", + "migration": true, + "name": "uuid", + "path": "service.id", + "type": "alias" + }, + { + "description": "Kibana instance name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Name of Kibana's internal index\n", + "name": "index", + "type": "keyword" + }, + { + "description": "Kibana instance hostname\n", + "name": "host.name", + "type": "keyword" + }, + { + "description": "Kibana server's hostname and port\n", + "migration": true, + "name": "transport_address", + "path": "service.address", + "type": "alias" + }, + { + "description": "Kibana version\n", + "migration": true, + "name": "version", + "path": "service.version", + "type": "alias" + }, + { + "description": "Whether the Kibana build is a snapshot build\n", + "name": "snapshot", + "type": "boolean" + }, + { + "description": "Kibana instance's health status\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Number of client connections made to the server. Note that browsers can send multiple simultaneous connections to request multiple server assets at once, and they can re-use established connections.\n", + "name": "concurrent_connections", + "type": "long" + }, + { + "description": "Process metrics\n", + "fields": [ + { + "description": "Event loop delay in milliseconds\n", + "name": "event_loop_delay.ms", + "type": "scaled_float" + }, + { + "description": "Process heap metrics\n", + "fields": [ + { + "description": "Total heap allocated to process in bytes\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Heap used by process in bytes\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Max. old space size allocated to Node.js process, in bytes\n", + "format": "bytes", + "name": "size_limit.bytes", + "type": "long" + }, + { + "description": "Uptime of process in milliseconds\n", + "name": "uptime.ms", + "type": "long" + } + ], + "name": "memory.heap", + "type": "group" + } + ], + "name": "process", + "type": "group" + }, + { + "description": "Request count metrics\n", + "fields": [ + { + "description": "Number of requests that were disconnected\n", + "name": "disconnects", + "type": "long" + }, + { + "description": "Total number of requests\n", + "name": "total", + "type": "long" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "Response times metrics\n", + "fields": [ + { + "description": "Average response time in milliseconds\n", + "name": "avg.ms", + "type": "long" + }, + { + "description": "Maximum response time in milliseconds\n", + "name": "max.ms", + "type": "long" + } + ], + "name": "response_time", + "type": "group" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Status fields\n", + "fields": [ + { + "description": "Kibana instance name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Kibana instance uuid.\n", + "migration": true, + "name": "uuid", + "path": "service.id", + "type": "alias" + }, + { + "description": "Kibana version number.\n", + "migration": true, + "name": "version.number", + "path": "service.version", + "type": "alias" + }, + { + "description": "Kibana overall state.\n", + "name": "status.overall.state", + "type": "keyword" + }, + { + "description": "Metrics fields\n", + "fields": [ + { + "description": "Current concurrent connections.\n", + "name": "concurrent_connections", + "type": "long" + }, + { + "description": "Request statistics.\n", + "fields": [ + { + "description": "Total number of disconnected connections.\n", + "name": "disconnects", + "type": "long" + }, + { + "description": "Total number of connections.\n", + "name": "total", + "type": "long" + } + ], + "name": "requests", + "type": "group" + } + ], + "name": "metrics", + "type": "group" + } + ], + "name": "status", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "url": "/api/status" + } + } + } + } + } + } + } + } + }, + "kubernetes": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "hosts": [ + "localhost:10250" + ], + "module": "kubernetes", + "period": "10s", + "ssl.certificate_authorities": [ + "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" + ] + } + ], + "fields.yml": [ + { + "description": "Kubernetes metrics\n", + "fields": [ + { + "description": "Information and statistics of pods managed by kubernetes.\n", + "fields": null, + "name": "kubernetes", + "type": "group" + } + ], + "key": "kubernetes", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Kubernetes" + } + ] + } + }, + "apiserver": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kubernetes API server metrics\n", + "fields": [ + { + "description": "Client executing requests\n", + "name": "request.client", + "type": "keyword" + }, + { + "description": "Requested resource\n", + "name": "request.resource", + "type": "keyword" + }, + { + "description": "Requested subresource\n", + "name": "request.subresource", + "type": "keyword" + }, + { + "description": "Request scope (cluster, namespace, resource)\n", + "name": "request.scope", + "type": "keyword" + }, + { + "description": "HTTP verb\n", + "name": "request.verb", + "type": "keyword" + }, + { + "description": "HTTP code\n", + "name": "request.code", + "type": "keyword" + }, + { + "description": "Request HTTP content type\n", + "name": "request.content_type", + "type": "keyword" + }, + { + "description": "Wether the request uses dry run\n", + "name": "request.dry_run", + "type": "keyword" + }, + { + "description": "Kind of request\n", + "name": "request.kind", + "type": "keyword" + }, + { + "description": "Component handling the request\n", + "name": "request.component", + "type": "keyword" + }, + { + "description": "API group for the resource\n", + "name": "request.group", + "type": "keyword" + }, + { + "description": "version for the group\n", + "name": "request.version", + "type": "keyword" + }, + { + "description": "Request handler\n", + "name": "request.handler", + "type": "keyword" + }, + { + "description": "HTTP method\n", + "name": "request.method", + "type": "keyword" + }, + { + "description": "Request host\n", + "name": "request.host", + "type": "keyword" + }, + { + "fields": [ + { + "description": "CPU seconds", + "name": "cpu.sec", + "type": "double" + }, + { + "description": "Bytes in resident memory", + "format": "bytes", + "name": "memory.resident.bytes", + "type": "long" + }, + { + "description": "Bytes in virtual memory", + "format": "bytes", + "name": "memory.virtual.bytes", + "type": "long" + }, + { + "description": "Number of open file descriptors", + "name": "fds.open.count", + "type": "long" + }, + { + "description": "Seconds since the process started", + "name": "started.sec", + "type": "double" + } + ], + "name": "process", + "type": "group" + }, + { + "fields": [ + { + "description": "Request duration microseconds percentiles", + "name": "request.duration.us.percentile.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Request duration microseconds cumulative sum", + "name": "request.duration.us.sum", + "type": "double" + }, + { + "description": "Request count for duration", + "name": "request.duration.us.count", + "type": "long" + }, + { + "description": "Request size percentiles", + "name": "request.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request size cumulative sum", + "format": "bytes", + "name": "request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request count for size", + "name": "request.size.bytes.count", + "type": "long" + }, + { + "description": "Response size percentiles", + "name": "response.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Response size cumulative sum", + "format": "bytes", + "name": "response.size.bytes.sum", + "type": "long" + }, + { + "description": "Response count", + "name": "response.size.bytes.count", + "type": "long" + }, + { + "description": "Request count for response", + "name": "request.count", + "type": "long" + } + ], + "name": "http", + "type": "group" + }, + { + "description": "Number of requests as client", + "name": "client.request.count", + "type": "long" + }, + { + "fields": [ + { + "description": "Number of requests", + "name": "count", + "type": "long" + }, + { + "description": "Requests latency, sum of latencies in microseconds", + "name": "latency.sum", + "type": "long" + }, + { + "description": "Request latency, number of requests", + "name": "latency.count", + "type": "long" + }, + { + "description": "Request latency histogram buckets", + "name": "latency.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request duration, sum in microseconds", + "name": "duration.us.sum", + "type": "long" + }, + { + "description": "Request duration, number of operations", + "name": "duration.us.count", + "type": "long" + }, + { + "description": "Request duration, histogram buckets", + "name": "duration.us.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Inflight requests", + "name": "current.count", + "type": "long" + }, + { + "description": "Number of requests active long running requests", + "name": "longrunning.count", + "type": "long" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "Number of kubernetes objects at etcd", + "name": "etcd.object.count", + "type": "long" + }, + { + "description": "Number of audit events", + "name": "audit.event.count", + "type": "long" + }, + { + "description": "Number of audit rejected events", + "name": "audit.rejected.count", + "type": "long" + } + ], + "name": "apiserver", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "container": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes container metrics\n", + "fields": [ + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Container CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + }, + { + "description": "CPU usage as a percentage of the total node allocatable CPU\n", + "format": "percent", + "name": "node.pct", + "type": "scaled_float" + }, + { + "description": "CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited)\n", + "format": "percent", + "name": "limit.pct", + "type": "scaled_float" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Logs info\n", + "fields": [ + { + "fields": [ + { + "description": "Logs available capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Logs total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Logs used capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Total available inodes\n", + "name": "count", + "type": "long" + }, + { + "description": "Total free inodes\n", + "name": "free", + "type": "long" + }, + { + "description": "Total used inodes\n", + "name": "used", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "logs", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total available memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Memory usage as a percentage of the total node allocatable memory\n", + "format": "percent", + "name": "node.pct", + "type": "scaled_float" + }, + { + "description": "Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited)\n", + "format": "percent", + "name": "limit.pct", + "type": "scaled_float" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Root filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Root filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Root filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Used inodes\n", + "name": "used", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "rootfs", + "type": "group" + } + ], + "name": "container", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "controllermanager": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Controller manager metrics\n", + "fields": [ + { + "description": "Request handler\n", + "name": "handler", + "type": "keyword" + }, + { + "description": "HTTP code\n", + "name": "code", + "type": "keyword" + }, + { + "description": "HTTP method\n", + "name": "method", + "type": "keyword" + }, + { + "description": "Request host\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Name for the resource\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Infrastructure zone\n", + "name": "zone", + "type": "keyword" + }, + { + "fields": [ + { + "description": "CPU seconds", + "name": "cpu.sec", + "type": "double" + }, + { + "description": "Bytes in resident memory", + "format": "bytes", + "name": "memory.resident.bytes", + "type": "long" + }, + { + "description": "Bytes in virtual memory", + "format": "bytes", + "name": "memory.virtual.bytes", + "type": "long" + }, + { + "description": "Number of open file descriptors", + "name": "fds.open.count", + "type": "long" + }, + { + "description": "Seconds since the process started", + "name": "started.sec", + "type": "double" + } + ], + "name": "process", + "type": "group" + }, + { + "fields": [ + { + "description": "Request duration microseconds percentiles", + "name": "request.duration.us.percentile.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Request duration microseconds cumulative sum", + "name": "request.duration.us.sum", + "type": "double" + }, + { + "description": "Request count for duration", + "name": "request.duration.us.count", + "type": "long" + }, + { + "description": "Request size percentiles", + "name": "request.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request size cumulative sum", + "format": "bytes", + "name": "request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request count for size", + "name": "request.size.bytes.count", + "type": "long" + }, + { + "description": "Response size percentiles", + "name": "response.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Response size cumulative sum", + "format": "bytes", + "name": "response.size.bytes.sum", + "type": "long" + }, + { + "description": "Response count", + "name": "response.size.bytes.count", + "type": "long" + }, + { + "description": "Request count for response", + "name": "request.count", + "type": "long" + } + ], + "name": "http", + "type": "group" + }, + { + "description": "Number of requests as client\n", + "name": "client.request.count", + "type": "long" + }, + { + "fields": [ + { + "description": "Longest running processors", + "name": "longestrunning.sec", + "type": "double" + }, + { + "description": "Unfinished processors", + "name": "unfinished.sec", + "type": "double" + }, + { + "description": "Workqueue add count", + "name": "adds.count", + "type": "long" + }, + { + "description": "Workqueue depth count", + "name": "depth.count", + "type": "long" + }, + { + "description": "Workqueue number of retries", + "name": "retries.count", + "type": "long" + } + ], + "name": "workqueue", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of node evictions", + "name": "eviction.count", + "type": "long" + }, + { + "description": "Number of unhealthy nodes", + "name": "unhealthy.count", + "type": "long" + }, + { + "description": "Number of nodes", + "name": "count", + "type": "long" + }, + { + "description": "Percentage of healthy nodes", + "name": "health.pct", + "type": "long" + } + ], + "name": "node.collector", + "type": "group" + }, + { + "description": "Whether the node is master\n", + "name": "leader.is_master", + "type": "boolean" + } + ], + "name": "controllermanager", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "event": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes\n", + "fields": [ + { + "description": "Count field records the number of times the particular event has occurred\n", + "name": "count", + "type": "long" + }, + { + "fields": [ + { + "description": "Timestamp of first occurrence of event\n", + "name": "first_occurrence", + "type": "date" + }, + { + "description": "Timestamp of last occurrence of event\n", + "name": "last_occurrence", + "type": "date" + } + ], + "name": "timestamp", + "type": "group" + }, + { + "copy_to": "message", + "description": "Message recorded for the given event\n", + "name": "message", + "type": "text" + }, + { + "description": "Reason recorded for the given event\n", + "name": "reason", + "type": "keyword" + }, + { + "description": "Type of the given event\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The component reporting this event\n", + "fields": [ + { + "description": "Component from which the event is generated\n", + "name": "component", + "type": "keyword" + }, + { + "description": "Node name on which the event is generated\n", + "name": "host", + "type": "keyword" + } + ], + "name": "source", + "type": "group" + }, + { + "description": "Metadata associated with the given event\n", + "fields": [ + { + "fields": [ + { + "description": "Timestamp of creation of the given event\n", + "name": "created", + "type": "date" + } + ], + "name": "timestamp", + "type": "group" + }, + { + "description": "Generate name of the event\n", + "name": "generate_name", + "type": "keyword" + }, + { + "description": "Name of the event\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Namespace in which event was generated\n", + "name": "namespace", + "type": "keyword" + }, + { + "description": "Version of the event resource\n", + "name": "resource_version", + "type": "keyword" + }, + { + "description": "Unique identifier to the event object\n", + "name": "uid", + "type": "keyword" + }, + { + "description": "URL representing the event\n", + "name": "self_link", + "type": "keyword" + } + ], + "name": "metadata", + "type": "group" + }, + { + "description": "Metadata associated with the given involved object\n", + "fields": [ + { + "description": "API version of the object\n", + "name": "api_version", + "type": "keyword" + }, + { + "description": "API kind of the object\n", + "name": "kind", + "type": "keyword" + }, + { + "description": "name of the object\n", + "name": "name", + "type": "keyword" + }, + { + "description": "resource version of the object\n", + "name": "resource_version", + "type": "keyword" + }, + { + "description": "UUID version of the object\n", + "name": "uid", + "type": "keyword" + } + ], + "name": "involved_object", + "type": "group" + } + ], + "name": "event", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes node metrics\n", + "fields": [ + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Node CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total available memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Received bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Rx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "rx", + "type": "group" + }, + { + "fields": [ + { + "description": "Transmitted bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Tx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "tx", + "type": "group" + } + ], + "name": "network", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Number of used inodes\n", + "name": "used", + "type": "long" + }, + { + "description": "Number of inodes\n", + "name": "count", + "type": "long" + }, + { + "description": "Number of free inodes\n", + "name": "free", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "fs", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "Image filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Image filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Image filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + } + ], + "name": "imagefs", + "type": "group" + } + ], + "name": "runtime", + "type": "group" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "pod": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes pod metrics\n", + "fields": [ + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Received bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Rx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "rx", + "type": "group" + }, + { + "fields": [ + { + "description": "Transmitted bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Tx errors\n", + "name": "errors", + "type": "long" + } + ], + "name": "tx", + "type": "group" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + }, + { + "description": "CPU usage as a percentage of the total node CPU\n", + "format": "percent", + "name": "node.pct", + "type": "scaled_float" + }, + { + "description": "CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if one or more containers of the pod are unlimited)\n", + "format": "percent", + "name": "limit.pct", + "type": "scaled_float" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "Memory usage as a percentage of the total node allocatable memory\n", + "format": "percent", + "name": "node.pct", + "type": "scaled_float" + }, + { + "description": "Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited)\n", + "format": "percent", + "name": "limit.pct", + "type": "scaled_float" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "Total memory available\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Total working set memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "working_set", + "type": "group" + }, + { + "fields": [ + { + "description": "Total resident set size memory\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "description": "Total page faults\n", + "name": "page_faults", + "type": "long" + }, + { + "description": "Total major page faults\n", + "name": "major_page_faults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + } + ], + "name": "pod", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "proxy": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kubernetes proxy server metrics\n", + "fields": [ + { + "description": "Request handler\n", + "name": "handler", + "type": "keyword" + }, + { + "description": "HTTP code\n", + "name": "code", + "type": "keyword" + }, + { + "description": "HTTP method\n", + "name": "method", + "type": "keyword" + }, + { + "description": "Request host\n", + "name": "host", + "type": "keyword" + }, + { + "fields": [ + { + "description": "CPU seconds", + "name": "cpu.sec", + "type": "double" + }, + { + "description": "Bytes in resident memory", + "format": "bytes", + "name": "memory.resident.bytes", + "type": "long" + }, + { + "description": "Bytes in virtual memory", + "format": "bytes", + "name": "memory.virtual.bytes", + "type": "long" + }, + { + "description": "Number of open file descriptors", + "name": "fds.open.count", + "type": "long" + }, + { + "description": "Seconds since the process started", + "name": "started.sec", + "type": "double" + } + ], + "name": "process", + "type": "group" + }, + { + "fields": [ + { + "description": "Request duration microseconds percentiles", + "name": "request.duration.us.percentile.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Request duration microseconds cumulative sum", + "name": "request.duration.us.sum", + "type": "double" + }, + { + "description": "Request count for duration", + "name": "request.duration.us.count", + "type": "long" + }, + { + "description": "Request size percentiles", + "name": "request.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request size cumulative sum", + "format": "bytes", + "name": "request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request count for size", + "name": "request.size.bytes.count", + "type": "long" + }, + { + "description": "Response size percentiles", + "name": "response.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Response size cumulative sum", + "format": "bytes", + "name": "response.size.bytes.sum", + "type": "long" + }, + { + "description": "Response count", + "name": "response.size.bytes.count", + "type": "long" + }, + { + "description": "Request count", + "name": "request.count", + "type": "long" + } + ], + "name": "http", + "type": "group" + }, + { + "description": "Number of requests as client\n", + "name": "client.request.count", + "type": "long" + }, + { + "description": "kubeproxy proxy sync metrics\n", + "fields": [ + { + "description": "SyncProxyRules duration, sum of durations in microseconds", + "name": "rules.duration.us.sum", + "type": "long" + }, + { + "description": "SyncProxyRules duration, number of operations", + "name": "rules.duration.us.count", + "type": "long" + }, + { + "description": "SyncProxyRules duration, histogram buckets", + "name": "rules.duration.us.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Network programming duration, sum in microseconds", + "name": "networkprogramming.duration.us.sum", + "type": "long" + }, + { + "description": "Network programming duration, number of operations", + "name": "networkprogramming.duration.us.count", + "type": "long" + }, + { + "description": "Network programming duration, histogram buckets", + "name": "networkprogramming.duration.us.bucket.*", + "object_type": "long", + "type": "object" + } + ], + "name": "sync", + "type": "group" + } + ], + "name": "proxy", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "scheduler": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Kubernetes scheduler metrics\n", + "fields": [ + { + "description": "Request handler\n", + "name": "handler", + "type": "keyword" + }, + { + "description": "HTTP code\n", + "name": "code", + "type": "keyword" + }, + { + "description": "HTTP method\n", + "name": "method", + "type": "keyword" + }, + { + "description": "Request host\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Name for the resource\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Schedule attempt result\n", + "name": "result", + "type": "keyword" + }, + { + "description": "Scheduling operation\n", + "name": "operation", + "type": "keyword" + }, + { + "fields": [ + { + "description": "CPU seconds", + "name": "cpu.sec", + "type": "double" + }, + { + "description": "Bytes in resident memory", + "format": "bytes", + "name": "memory.resident.bytes", + "type": "long" + }, + { + "description": "Bytes in virtual memory", + "format": "bytes", + "name": "memory.virtual.bytes", + "type": "long" + }, + { + "description": "Number of open file descriptors", + "name": "fds.open.count", + "type": "long" + }, + { + "description": "Seconds since the process started", + "name": "started.sec", + "type": "double" + } + ], + "name": "process", + "type": "group" + }, + { + "fields": [ + { + "description": "Request duration microseconds percentiles", + "name": "request.duration.us.percentile.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Request duration microseconds cumulative sum", + "name": "request.duration.us.sum", + "type": "double" + }, + { + "description": "Request count for duration", + "name": "request.duration.us.count", + "type": "long" + }, + { + "description": "Request size percentiles", + "name": "request.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Request size cumulative sum", + "format": "bytes", + "name": "request.size.bytes.sum", + "type": "long" + }, + { + "description": "Request count for size", + "name": "request.size.bytes.count", + "type": "long" + }, + { + "description": "Response size percentiles", + "name": "response.size.bytes.percentile.*", + "object_type": "long", + "type": "object" + }, + { + "description": "Response size cumulative sum", + "format": "bytes", + "name": "response.size.bytes.sum", + "type": "long" + }, + { + "description": "Response count", + "name": "response.size.bytes.count", + "type": "long" + }, + { + "description": "Request count", + "name": "request.count", + "type": "long" + } + ], + "name": "http", + "type": "group" + }, + { + "description": "Number of requests as client\n", + "name": "client.request.count", + "type": "long" + }, + { + "description": "Whether the node is master\n", + "name": "leader.is_master", + "type": "boolean" + }, + { + "fields": [ + { + "description": "End to end scheduling duration microseconds", + "name": "e2e.duration.us.bucket.*", + "object_type": "long", + "type": "object" + }, + { + "description": "End to end scheduling duration microseconds sum", + "name": "e2e.duration.us.sum", + "type": "long" + }, + { + "description": "End to end scheduling count", + "name": "e2e.duration.us.count", + "type": "long" + }, + { + "description": "Pod preemption victims", + "name": "pod.preemption.victims.bucket.*", + "type": "long" + }, + { + "description": "Pod preemption victims sum", + "name": "pod.preemption.victims.sum", + "type": "long" + }, + { + "description": "Pod preemption victims count", + "name": "pod.preemption.victims.count", + "type": "long" + }, + { + "description": "Pod attempts count", + "name": "pod.attempts.count", + "type": "long" + }, + { + "description": "Scheduling duration percentiles", + "name": "duration.seconds.percentile.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Scheduling duration cumulative sum", + "name": "duration.seconds.sum", + "type": "double" + }, + { + "description": "Scheduling count", + "name": "duration.seconds.count", + "type": "long" + } + ], + "name": "scheduling", + "type": "group" + } + ], + "name": "scheduler", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_container": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes container metrics\n", + "fields": [ + { + "description": "Container id", + "name": "id", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Container phase (running, waiting, terminated)\n", + "name": "phase", + "type": "keyword" + }, + { + "description": "Container ready status\n", + "name": "ready", + "type": "boolean" + }, + { + "description": "Container restarts count\n", + "name": "restarts", + "type": "integer" + }, + { + "description": "Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason.\n", + "name": "reason", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + }, + { + "fields": [ + { + "description": "Container CPU cores limit\n", + "name": "limit.cores", + "type": "float" + }, + { + "description": "Container CPU requested cores\n", + "name": "request.cores", + "type": "float" + }, + { + "deprecated": 6.4, + "description": "Container CPU nanocores limit\n", + "name": "limit.nanocores", + "type": "long" + }, + { + "deprecated": 6.4, + "description": "Container CPU requested nanocores\n", + "name": "request.nanocores", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "description": "Container memory limit in bytes\n", + "format": "bytes", + "name": "limit.bytes", + "type": "long" + }, + { + "description": "Container requested memory in bytes\n", + "format": "bytes", + "name": "request.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + } + ], + "name": "container", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_cronjob": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes cronjob metrics\n", + "fields": [ + { + "description": "Cronjob name", + "name": "name", + "type": "keyword" + }, + { + "description": "Cronjob schedule", + "name": "schedule", + "type": "keyword" + }, + { + "description": "Concurrency policy", + "name": "concurrency", + "type": "keyword" + }, + { + "description": "Number of active pods for the cronjob", + "name": "active.count", + "type": "long" + }, + { + "description": "Whether the cronjob is suspended", + "name": "is_suspended", + "type": "boolean" + }, + { + "description": "Epoch seconds since the cronjob was created", + "name": "created.sec", + "type": "double" + }, + { + "description": "Epoch seconds for last cronjob run", + "name": "last_schedule.sec", + "type": "double" + }, + { + "description": "Epoch seconds for next cronjob run", + "name": "next_schedule.sec", + "type": "double" + }, + { + "description": "Deadline seconds after schedule for considering failed", + "name": "deadline.sec", + "type": "long" + } + ], + "name": "cronjob", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "state_deployment": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes deployment metrics\n", + "fields": [ + { + "description": "Kubernetes deployment paused status\n", + "name": "paused", + "type": "boolean" + }, + { + "description": "Kubernetes deployment replicas info\n", + "fields": [ + { + "description": "Deployment number of desired replicas (spec)\n", + "name": "desired", + "type": "integer" + }, + { + "description": "Deployment available replicas\n", + "name": "available", + "type": "integer" + }, + { + "description": "Deployment unavailable replicas\n", + "name": "unavailable", + "type": "integer" + }, + { + "description": "Deployment updated replicas\n", + "name": "updated", + "type": "integer" + } + ], + "name": "replicas", + "type": "group" + } + ], + "name": "deployment", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "module": { + "timeout": "30s" + }, + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes node metrics\n", + "fields": [ + { + "fields": [ + { + "description": "Node ready status (true, false or unknown)\n", + "name": "ready", + "type": "keyword" + }, + { + "description": "Node unschedulable status\n", + "name": "unschedulable", + "type": "boolean" + } + ], + "name": "status", + "type": "group" + }, + { + "fields": [ + { + "description": "Node CPU allocatable cores\n", + "name": "allocatable.cores", + "type": "float" + }, + { + "description": "Node CPU capacity cores\n", + "name": "capacity.cores", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "description": "Node allocatable memory in bytes\n", + "format": "bytes", + "name": "allocatable.bytes", + "type": "long" + }, + { + "description": "Node memory capacity in bytes\n", + "format": "bytes", + "name": "capacity.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "fields": [ + { + "description": "Node allocatable pods\n", + "name": "allocatable.total", + "type": "long" + }, + { + "description": "Node pod capacity\n", + "name": "capacity.total", + "type": "long" + } + ], + "name": "pod", + "type": "group" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_persistentvolume": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes persistent volume metrics from kube-state-metrics\n", + "fields": [ + { + "description": "Volume name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Volume capacity", + "name": "capacity.bytes", + "type": "long" + }, + { + "description": "Volume phase according to kubernetes", + "name": "phase", + "type": "keyword" + }, + { + "description": "Storage class for the volume", + "name": "storage_class", + "type": "keyword" + } + ], + "name": "persistentvolume", + "release": "experimental", + "type": "group" + } + ] + } + } + } + }, + "state_persistentvolumeclaim": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes persistent volume clame metrics from kube-state-metrics\n", + "fields": [ + { + "description": "PVC name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Binded volume name.", + "name": "volume_name", + "type": "keyword" + }, + { + "description": "Requested capacity.", + "name": "request_storage.bytes", + "type": "long" + }, + { + "description": "PVC phase.", + "name": "phase", + "type": "keyword" + }, + { + "description": "Access mode.", + "name": "access_mode", + "type": "keyword" + }, + { + "description": "Storage class for the PVC.", + "name": "storage_class", + "type": "keyword" + } + ], + "name": "persistentvolumeclaim", + "release": "experimental", + "type": "group" + } + ] + } + } + } + }, + "state_pod": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes pod metrics\n", + "fields": [ + { + "description": "Kubernetes pod IP\n", + "name": "ip", + "type": "ip" + }, + { + "description": "Kubernetes pod host IP\n", + "name": "host_ip", + "type": "ip" + }, + { + "description": "Kubernetes pod status metrics\n", + "fields": [ + { + "description": "Kubernetes pod phase (Running, Pending...)\n", + "name": "phase", + "type": "keyword" + }, + { + "description": "Kubernetes pod ready status (true, false or unknown)\n", + "name": "ready", + "type": "keyword" + }, + { + "description": "Kubernetes pod scheduled status (true, false, unknown)\n", + "name": "scheduled", + "type": "keyword" + } + ], + "name": "status", + "type": "group" + } + ], + "name": "pod", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_replicaset": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes replica set metrics\n", + "fields": [ + { + "description": "Kubernetes replica set paused status\n", + "fields": [ + { + "description": "The number of replicas per ReplicaSet\n", + "name": "available", + "type": "long" + }, + { + "description": "The number of replicas per ReplicaSet\n", + "name": "desired", + "type": "long" + }, + { + "description": "The number of ready replicas per ReplicaSet\n", + "name": "ready", + "type": "long" + }, + { + "description": "The generation observed by the ReplicaSet controller\n", + "name": "observed", + "type": "long" + }, + { + "description": "The number of fully labeled replicas per ReplicaSet\n", + "name": "labeled", + "type": "long" + } + ], + "name": "replicas", + "type": "group" + } + ], + "name": "replicaset", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_resourcequota": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes resourcequota metrics\n", + "fields": [ + { + "description": "Epoch seconds since the ResourceQuota was created", + "name": "created.sec", + "type": "double" + }, + { + "description": "Quota informed (hard or used) for the resource", + "name": "quota", + "type": "double" + }, + { + "description": "ResourceQuota name", + "name": "name", + "type": "keyword" + }, + { + "description": "Quota information type, `hard` or `used`", + "name": "type", + "type": "keyword" + }, + { + "description": "Resource name the quota applies to", + "name": "resource", + "type": "keyword" + } + ], + "name": "resourcequota", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "state_service": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes service metrics\n", + "fields": [ + { + "description": "Service name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Internal IP for the service.", + "name": "cluster_ip", + "type": "ip" + }, + { + "description": "Service external DNS name", + "name": "external_name", + "type": "keyword" + }, + { + "description": "Service external IP", + "name": "external_ip", + "type": "keyword" + }, + { + "description": "Load Balancer service IP", + "name": "load_balancer_ip", + "type": "keyword" + }, + { + "description": "Service type", + "name": "type", + "type": "keyword" + }, + { + "description": "Ingress IP", + "name": "ingress_ip", + "type": "keyword" + }, + { + "description": "Ingress Hostname", + "name": "ingress_hostname", + "type": "keyword" + }, + { + "description": "Service creation date", + "name": "created", + "type": "date" + } + ], + "name": "service", + "release": "experimental", + "type": "group" + } + ] + } + } + } + }, + "state_statefulset": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes stateful set metrics\n", + "fields": [ + { + "description": "The creation timestamp (epoch) for StatefulSet\n", + "name": "created", + "type": "long" + }, + { + "description": "Kubernetes stateful set replicas status\n", + "fields": [ + { + "description": "The number of observed replicas per StatefulSet\n", + "name": "observed", + "type": "long" + }, + { + "description": "The number of desired replicas per StatefulSet\n", + "name": "desired", + "type": "long" + } + ], + "name": "replicas", + "type": "group" + }, + { + "description": "Kubernetes stateful set generation information\n", + "fields": [ + { + "description": "The observed generation per StatefulSet\n", + "name": "observed", + "type": "long" + }, + { + "description": "The desired generation per StatefulSet\n", + "name": "desired", + "type": "long" + } + ], + "name": "generation", + "type": "group" + } + ], + "name": "statefulset", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "state_storageclass": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes storage class metrics\n", + "fields": [ + { + "description": "Storage class name.", + "name": "name", + "type": "keyword" + }, + { + "description": "Volume provisioner for the storage class.", + "name": "provisioner", + "type": "keyword" + }, + { + "description": "Reclaim policy for dynamically created volumes", + "name": "reclaim_policy", + "type": "keyword" + }, + { + "description": "Mode for default provisioning and binding", + "name": "volume_binding_mode", + "type": "keyword" + }, + { + "description": "Storage class creation date", + "name": "created", + "type": "date" + } + ], + "name": "storageclass", + "release": "experimental", + "type": "group" + } + ] + } + } + } + }, + "system": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes system containers metrics\n", + "fields": [ + { + "description": "Container name\n", + "name": "container", + "type": "keyword" + }, + { + "description": "Start time\n", + "name": "start_time", + "type": "date" + }, + { + "description": "CPU usage metrics\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "description": "CPU Core usage nanoseconds\n", + "name": "ns", + "type": "long" + } + ], + "name": "core", + "type": "group" + }, + { + "description": "CPU used nanocores\n", + "name": "nanocores", + "type": "long" + } + ], + "name": "usage", + "type": "group" + } + ], + "name": "cpu", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Total memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "usage", + "type": "group" + }, + { + "fields": [ + { + "description": "RSS memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "rss", + "type": "group" + }, + { + "fields": [ + { + "description": "Working set memory usage\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "workingset", + "type": "group" + }, + { + "description": "Number of page faults\n", + "name": "pagefaults", + "type": "long" + }, + { + "description": "Number of major page faults\n", + "name": "majorpagefaults", + "type": "long" + } + ], + "name": "memory", + "type": "group" + } + ], + "name": "system", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "volume": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "kubernetes volume metrics\n", + "fields": [ + { + "description": "Volume name\n", + "name": "name", + "type": "keyword" + }, + { + "fields": [ + { + "fields": [ + { + "description": "Filesystem total capacity in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "capacity", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total available in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "available", + "type": "group" + }, + { + "fields": [ + { + "description": "Filesystem total used in bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "used", + "type": "group" + }, + { + "fields": [ + { + "description": "Used inodes\n", + "name": "used", + "type": "long" + }, + { + "description": "Free inodes\n", + "name": "free", + "type": "long" + }, + { + "description": "Total inodes\n", + "name": "count", + "type": "long" + } + ], + "name": "inodes", + "type": "group" + } + ], + "name": "fs", + "type": "group" + } + ], + "name": "volume", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "kvm": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "unix:///var/run/libvirt/libvirt-sock" + ], + "module": "kvm", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "kvm module\n", + "fields": [ + { + "description": "Domain id\n", + "name": "kvm.id", + "type": "long" + }, + { + "description": "Domain name\n", + "name": "kvm.name", + "type": "keyword" + }, + { + "description": "", + "fields": null, + "name": "kvm", + "type": "group" + } + ], + "key": "kvm", + "release": "beta", + "title": "KVM" + } + ] + } + }, + "dommemstat": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "dommemstat\n", + "fields": [ + { + "description": "Memory stat\n", + "fields": [ + { + "description": "Memory stat name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Memory stat value\n", + "name": "value", + "type": "long" + } + ], + "name": "stat", + "type": "group" + }, + { + "description": "Domain id\n", + "name": "id", + "type": "long" + }, + { + "description": "Domain name\n", + "name": "name", + "type": "keyword" + } + ], + "name": "dommemstat", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "status\n", + "fields": [ + { + "description": "Domain state\n", + "name": "state", + "type": "keyword" + } + ], + "name": "status", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "linux": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": true, + "metricsets": [ + "pageinfo" + ], + "module": "linux", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "linux module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "linux", + "type": "group" + } + ], + "key": "linux", + "release": "beta", + "title": "linux" + } + ] + } + }, + "conntrack": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "conntrack\n", + "fields": [ + { + "description": "summary of nf_conntrack statistics, summed across CPU cores\n", + "fields": [ + { + "description": "packets dropped due to conntrack failiure\n", + "name": "drop", + "type": "long" + }, + { + "description": "conntrack entries dropped to make room for new ones\n", + "name": "early_drop", + "type": "long" + }, + { + "description": "entries in the conntrack table\n", + "name": "entries", + "type": "long" + }, + { + "description": "successfully searched entries\n", + "name": "found", + "type": "long" + }, + { + "description": "packets seen already connected to a conntrack entry\n", + "name": "ignore", + "type": "long" + }, + { + "description": "Number of entries where list insert insert failed \n", + "name": "insert_failed", + "type": "long" + }, + { + "description": "packets seen that cannot be tracked\n", + "name": "invalid", + "type": "long" + }, + { + "description": "table lookups which had to be restarted due to table resizes\n", + "name": "search_restart", + "type": "long" + } + ], + "name": "summary", + "type": "group" + } + ], + "name": "conntrack", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "ksm": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "ksm\n", + "fields": [ + { + "description": "KSM statistics\n", + "fields": [ + { + "description": "Shared pages in use.\n", + "name": "pages_shared", + "type": "long" + }, + { + "description": "Sites sharing pages.\n", + "name": "pages_sharing", + "type": "long" + }, + { + "description": "Unique pages.\n", + "name": "pages_unshared", + "type": "long" + }, + { + "description": "Pages changing too fast to be shared.\n", + "nmae": "pages_volatile", + "type": "long" + }, + { + "description": "Number of times mergable pages have been scanned.\n", + "name": "full_scans", + "type": "long" + }, + { + "description": "Pages that have reached max_page_sharing.\n", + "name": "stable_node_chains", + "type": "long" + }, + { + "description": "Number of duplicated KSM pages.\n", + "name": "stable_node_dups", + "type": "long" + } + ], + "name": "stats", + "type": "group" + } + ], + "name": "ksm", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "pageinfo": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "pageinfo\n", + "fields": [ + { + "description": "Data from /proc/buddyinfo grouping used pages by order\n", + "fields": [ + { + "description": "DMA page Data\n", + "fields": [ + { + "description": "free chunks of 2^0*PAGE_SIZE\n", + "name": "0", + "type": "long" + }, + { + "description": "free chunks of 2^1*PAGE_SIZE\n", + "name": "1", + "type": "long" + }, + { + "description": "free chunks of 2^2*PAGE_SIZE\n", + "name": "2", + "type": "long" + }, + { + "description": "free chunks of 2^3*PAGE_SIZE\n", + "name": "3", + "type": "long" + }, + { + "description": "free chunks of 2^4*PAGE_SIZE\n", + "name": "4", + "type": "long" + }, + { + "description": "free chunks of 2^5*PAGE_SIZE\n", + "name": "5", + "type": "long" + }, + { + "description": "free chunks of 2^6*PAGE_SIZE\n", + "name": "6", + "type": "long" + }, + { + "description": "free chunks of 2^7*PAGE_SIZE\n", + "name": "7", + "type": "long" + }, + { + "description": "free chunks of 2^8*PAGE_SIZE\n", + "name": "8", + "type": "long" + }, + { + "description": "free chunks of 2^9*PAGE_SIZE\n", + "name": "9", + "type": "long" + }, + { + "description": "free chunks of 2^10*PAGE_SIZE\n", + "name": "10", + "type": "long" + } + ], + "name": "DMA", + "type": "group" + } + ], + "name": "buddy_info", + "type": "group" + }, + { + "description": "Raw allocation info from /proc/pagetypeinfo\n", + "name": "nodes.*", + "type": "object" + } + ], + "name": "pageinfo", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "logstash": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9600" + ], + "module": "logstash", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Logstash module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "logstash", + "type": "group" + } + ], + "key": "logstash", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "title": "Logstash" + } + ] + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "node\n", + "fields": [ + { + "description": "Host name\n", + "migration": true, + "name": "host", + "path": "host.hostname", + "type": "alias" + }, + { + "description": "Logstash Version\n", + "migration": true, + "name": "version", + "path": "service.version", + "type": "alias" + }, + { + "description": "JVM Info\n", + "fields": [ + { + "description": "Version\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Process ID\n", + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + } + ], + "name": "jvm", + "type": "group" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "node_stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "node_stats metrics.\n", + "fields": [ + { + "description": "Events stats\n", + "fields": [ + { + "description": "Incoming events counter.\n", + "name": "in", + "type": "long" + }, + { + "description": "Outgoing events counter.\n", + "name": "out", + "type": "long" + }, + { + "description": "Filtered events counter.\n", + "name": "filtered", + "type": "long" + } + ], + "name": "events", + "type": "group" + } + ], + "name": "node.stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "memcached": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:11211" + ], + "module": "memcached", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Memcached module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "memcached", + "type": "group" + } + ], + "key": "memcached", + "release": "ga", + "short_config": false, + "title": "Memcached" + } + ] + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "stats\n", + "fields": [ + { + "description": "Current process ID of the Memcached task.\n", + "name": "pid", + "type": "long" + }, + { + "description": "Memcached server uptime.\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Number of threads used by the current Memcached server process.\n", + "name": "threads", + "type": "long" + }, + { + "description": "Number of open connections to this Memcached server, should be the same value on all servers during normal operation.\n", + "name": "connections.current", + "type": "long" + }, + { + "description": "Numer of successful connect attempts to this server since it has been started.\n", + "name": "connections.total", + "type": "long" + }, + { + "description": "Number of successful \"get\" commands (cache hits) since startup, divide them by the \"cmd_get\" value to get the cache hitrate.\n", + "name": "get.hits", + "type": "long" + }, + { + "description": "Number of failed \"get\" requests because nothing was cached for this key or the cached value was too old.\n", + "name": "get.misses", + "type": "long" + }, + { + "description": "Number of \"get\" commands received since server startup not counting if they were successful or not.\n", + "name": "cmd.get", + "type": "long" + }, + { + "description": "Number of \"set\" commands serviced since startup.\n", + "name": "cmd.set", + "type": "long" + }, + { + "description": "Total number of bytes received from the network by this server.\n", + "formate": "bytes", + "name": "read.bytes", + "type": "long" + }, + { + "description": "Total number of bytes send to the network by this server.\n", + "formate": "bytes", + "name": "written.bytes", + "type": "long" + }, + { + "description": "Number of items currently in this server's cache.\n", + "name": "items.current", + "type": "long" + }, + { + "description": "Number of items stored ever stored on this server. This is no \"maximum item count\" value but a counted increased by every new item stored in the cache.\n", + "formate": "bytes", + "name": "items.total", + "type": "long" + }, + { + "description": "Number of objects removed from the cache to free up memory for new items because Memcached reached it's maximum memory setting (limit_maxbytes).\n", + "formate": "bytes", + "name": "evictions", + "type": "long" + }, + { + "description": "Number of bytes currently used for caching items.\n", + "formate": "bytes", + "name": "bytes.current", + "type": "long" + }, + { + "description": "Number of bytes this server is allowed to use for storage.\n", + "formate": "bytes", + "name": "bytes.limit", + "type": "long" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "mongodb": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:27017" + ], + "module": "mongodb", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Metrics collected from MongoDB servers.\n", + "fields": [ + { + "description": "MongoDB metrics.\n", + "fields": null, + "name": "mongodb", + "type": "group" + } + ], + "key": "mongodb", + "release": "ga", + "settings": [ + "ssl" + ], + "short_config": false, + "title": "MongoDB" + } + ] + } + }, + "collstats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "MongoDB collection statistics metrics.\n", + "fields": [ + { + "description": "Database name.\n", + "name": "db", + "type": "keyword" + }, + { + "description": "Collection name.\n", + "name": "collection", + "type": "keyword" + }, + { + "description": "Combination of database and collection name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Total waiting time for locks in microseconds.\n", + "name": "total.time.us", + "type": "long" + }, + { + "description": "Total number of lock wait events.\n", + "name": "total.count", + "type": "long" + }, + { + "fields": [ + { + "description": "Time waiting for read locks in microseconds.\n", + "name": "read.time.us", + "type": "long" + }, + { + "description": "Number of read lock wait events.\n", + "name": "read.count", + "type": "long" + }, + { + "description": "Time waiting for write locks in microseconds.\n", + "name": "write.time.us", + "type": "long" + }, + { + "description": "Number of write lock wait events.\n", + "name": "write.count", + "type": "long" + } + ], + "name": "lock", + "type": "group" + }, + { + "description": "Time running queries in microseconds.\n", + "name": "queries.time.us", + "type": "long" + }, + { + "description": "Number of queries executed.\n", + "name": "queries.count", + "type": "long" + }, + { + "description": "Time asking for more cursor rows in microseconds.\n", + "name": "getmore.time.us", + "type": "long" + }, + { + "description": "Number of times a cursor asked for more data.\n", + "name": "getmore.count", + "type": "long" + }, + { + "description": "Time inserting new documents in microseconds.\n", + "name": "insert.time.us", + "type": "long" + }, + { + "description": "Number of document insert events.\n", + "name": "insert.count", + "type": "long" + }, + { + "description": "Time updating documents in microseconds.\n", + "name": "update.time.us", + "type": "long" + }, + { + "description": "Number of document update events.\n", + "name": "update.count", + "type": "long" + }, + { + "description": "Time deleting documents in microseconds.\n", + "name": "remove.time.us", + "type": "long" + }, + { + "description": "Number of document delete events.\n", + "name": "remove.count", + "type": "long" + }, + { + "description": "Time executing database commands in microseconds.\n", + "name": "commands.time.us", + "type": "long" + }, + { + "description": "Number of database commands executed.\n", + "name": "commands.count", + "type": "long" + } + ], + "name": "collstats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "dbstats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database.\n", + "fields": [ + { + "format": "bytes", + "name": "avg_obj_size.bytes", + "type": "long" + }, + { + "name": "collections", + "type": "integer" + }, + { + "format": "bytes", + "name": "data_size.bytes", + "type": "long" + }, + { + "name": "db", + "type": "keyword" + }, + { + "format": "bytes", + "name": "file_size.bytes", + "type": "long" + }, + { + "format": "bytes", + "name": "index_size.bytes", + "type": "long" + }, + { + "name": "indexes", + "type": "long" + }, + { + "name": "num_extents", + "type": "long" + }, + { + "name": "objects", + "type": "long" + }, + { + "format": "bytes", + "name": "storage_size.bytes", + "type": "long" + }, + { + "name": "ns_size_mb.mb", + "type": "long" + }, + { + "fields": [ + { + "name": "major", + "type": "long" + }, + { + "name": "minor", + "type": "long" + } + ], + "name": "data_file_version", + "type": "group" + }, + { + "fields": [ + { + "name": "num", + "type": "long" + }, + { + "format": "bytes", + "name": "size.bytes", + "type": "long" + } + ], + "name": "extent_free_list", + "type": "group" + } + ], + "name": "dbstats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "metrics": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics\n", + "fields": [ + { + "description": "Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions.\nmetrics.commands..failed shows the number of times failed on this mongod. metrics.commands..total shows the number of times executed on this mongod.\n", + "fields": [ + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "is_self", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "aggregate", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "build_info", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "coll_stats", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "connection_pool_stats", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "count", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "db_stats", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "distinct", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "find", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "get_cmd_line_opts", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "get_last_error", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "get_log", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "get_more", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "get_parameter", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "host_info", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "insert", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "is_master", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "last_collections", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "last_commands", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "list_databased", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "list_indexes", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "ping", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "profile", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "replset_get_rbid", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "replset_get_status", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "replset_heartbeat", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "replset_update_position", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "server_status", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "update", + "type": "group" + }, + { + "fields": [ + { + "name": "failed", + "type": "long" + }, + { + "name": "total", + "type": "long" + } + ], + "name": "whatsmyuri", + "type": "group" + } + ], + "name": "commands", + "type": "group" + }, + { + "description": "Contains data regarding cursor state and use.\n", + "fields": [ + { + "description": "The total number of cursors that have timed out since the server process started.\n", + "name": "timed_out", + "type": "long" + }, + { + "description": "Contains data regarding open cursors.\n", + "fields": [ + { + "description": "The number of open cursors with the option DBQuery.Option.noTimeout set to prevent timeout.\n", + "name": "no_timeout", + "type": "long" + }, + { + "description": "The number of `pinned` open cursors.\n", + "name": "pinned", + "type": "long" + }, + { + "description": "The number of cursors that MongoDB is maintaining for clients.\n", + "name": "total", + "type": "long" + } + ], + "name": "open", + "type": "group" + } + ], + "name": "cursor", + "type": "group" + }, + { + "description": "Reflects document access and modification patterns.\n", + "fields": [ + { + "description": "The total number of documents deleted.\n", + "name": "deleted", + "type": "long" + }, + { + "description": "The total number of documents inserted.\n", + "name": "inserted", + "type": "long" + }, + { + "description": "The total number of documents returned by queries.\n", + "name": "returned", + "type": "long" + }, + { + "description": "The total number of documents updated.\n", + "name": "updated", + "type": "long" + } + ], + "name": "document", + "type": "group" + }, + { + "description": "Returns the error status of the preceding write operation on the current connection.\n", + "fields": [ + { + "description": "The total amount of time in milliseconds that the mongod has spent performing getLastError operations with write concern (i.e. w) greater than 1.\n", + "name": "write_wait.ms", + "type": "long" + }, + { + "description": "The total number of getLastError operations with a specified write concern (i.e. w) greater than 1.\n", + "name": "write_wait.count", + "type": "long" + }, + { + "description": "The number of times that write concern operations have timed out as a result of the wtimeout threshold to getLastError.\n", + "name": "write_timeouts", + "type": "long" + } + ], + "name": "get_last_error", + "type": "group" + }, + { + "description": "Holds counters for several types of update and query operations that MongoDB handles using special operation types.\n", + "fields": [ + { + "description": "The total number of queries that return sorted numbers that cannot perform the sort operation using an index.\n", + "name": "scan_and_order", + "type": "long" + }, + { + "description": "The total number of queries that encountered write conflicts.\n", + "name": "write_conflicts", + "type": "long" + } + ], + "name": "operation", + "type": "group" + }, + { + "description": "Reports data from the query execution system.\n", + "fields": [ + { + "description": "The total number of index items scanned during queries and query-plan evaluation.\n", + "name": "scanned_indexes.count", + "type": "long" + }, + { + "description": "The total number of documents scanned during queries and query-plan evaluation.\n", + "name": "scanned_documents.count", + "type": "long" + } + ], + "name": "query_executor", + "type": "group" + }, + { + "description": "Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren't members of replica sets.\n", + "fields": [ + { + "description": "Reports on various statistics for the replication executor.\n", + "fields": [ + { + "fields": [ + { + "name": "event_created", + "type": "long" + }, + { + "name": "event_wait", + "type": "long" + }, + { + "name": "cancels", + "type": "long" + }, + { + "name": "waits", + "type": "long" + }, + { + "fields": [ + { + "name": "netcmd", + "type": "long" + }, + { + "name": "dbwork", + "type": "long" + }, + { + "name": "exclusive", + "type": "long" + }, + { + "name": "work_at", + "type": "long" + }, + { + "name": "work", + "type": "long" + }, + { + "name": "failures", + "type": "long" + } + ], + "name": "scheduled", + "type": "group" + } + ], + "name": "counters", + "type": "group" + }, + { + "fields": [ + { + "fields": [ + { + "name": "network", + "type": "long" + }, + { + "name": "dbwork", + "type": "long" + }, + { + "name": "exclusive", + "type": "long" + } + ], + "name": "in_progress", + "type": "group" + }, + { + "name": "sleepers", + "type": "long" + }, + { + "name": "ready", + "type": "long" + }, + { + "name": "free", + "type": "long" + } + ], + "name": "queues", + "type": "group" + }, + { + "name": "unsignaled_events", + "type": "long" + }, + { + "name": "event_waiters", + "type": "long" + }, + { + "name": "shutting_down", + "type": "boolean" + }, + { + "name": "network_interface", + "type": "keyword" + } + ], + "name": "executor", + "type": "group" + }, + { + "description": "Reports on the application of operations from the replication oplog.\n", + "fields": [ + { + "name": "attempts_to_become_secondary", + "type": "long" + }, + { + "description": "Reports on the oplog application process on secondaries members of replica sets.\n", + "fields": [ + { + "description": "The total number of batches applied across all databases.\n", + "name": "count", + "type": "long" + }, + { + "description": "The total amount of time in milliseconds the mongod has spent applying operations from the oplog.\n", + "name": "time.ms", + "type": "long" + } + ], + "name": "batches", + "type": "group" + }, + { + "description": "The total number of oplog operations applied.\n", + "name": "ops", + "type": "long" + } + ], + "name": "apply", + "type": "group" + }, + { + "description": "MongoDB buffers oplog operations from the replication sync source buffer before applying oplog entries in a batch. metrics.replication.buffer provides a way to track the oplog buffer.\n", + "fields": [ + { + "description": "The current number of operations in the oplog buffer.\n", + "name": "count", + "type": "long" + }, + { + "description": "The maximum size of the buffer. This value is a constant setting in the mongod, and is not configurable.\n", + "name": "max_size.bytes", + "type": "long" + }, + { + "description": "The current size of the contents of the oplog buffer.\n", + "name": "size.bytes", + "type": "long" + } + ], + "name": "buffer", + "type": "group" + }, + { + "description": "Report initial sync status\n", + "fields": [ + { + "name": "completed", + "type": "long" + }, + { + "name": "failed_attempts", + "type": "long" + }, + { + "name": "failures", + "type": "long" + } + ], + "name": "initial_sync", + "type": "group" + }, + { + "description": "Reports network use by the replication process.\n", + "fields": [ + { + "description": "The total amount of data read from the replication sync source.\n", + "name": "bytes", + "type": "long" + }, + { + "description": "Reports on the getmore operations, which are requests for additional results from the oplog cursor as part of the oplog replication process.\n", + "fields": [ + { + "description": "The total number of getmore operations\n", + "name": "count", + "type": "long" + }, + { + "description": "The total amount of time required to collect data from getmore operations.\n", + "name": "time.ms", + "type": "long" + } + ], + "name": "getmores", + "type": "group" + }, + { + "description": "The total number of operations read from the replication source.\n", + "name": "ops", + "type": "long" + }, + { + "description": "The total number of oplog query processes created.\n", + "name": "reders_created", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "Reports on the `pre-fetch` stage, where MongoDB loads documents and indexes into RAM to improve replication throughput.\n", + "fields": [ + { + "description": "Reports on the documents loaded into memory during the pre-fetch stage.\n", + "fields": [ + { + "description": "The total number of documents loaded during the pre-fetch stage of replication.\n", + "name": "count", + "type": "long" + }, + { + "decsription": "The total amount of time spent loading documents as part of the pre-fetch stage of replication.\n", + "name": "time.ms", + "type": "long" + } + ], + "name": "docs", + "type": "group" + }, + { + "description": "Reports on the index items loaded into memory during the pre-fetch stage of replication.\n", + "fields": [ + { + "description": "The total number of index entries loaded by members before updating documents as part of the pre-fetch stage of replication.\n", + "name": "count", + "type": "long" + }, + { + "description": "The total amount of time, in milliseconds, spent loading index entries as part of the pre-fetch stage of replication.\n", + "name": "time.ms", + "type": "long" + } + ], + "name": "indexes", + "type": "group" + } + ], + "name": "preload", + "type": "group" + } + ], + "name": "replication", + "type": "group" + }, + { + "fields": [ + { + "description": "The number of times that mongod has checked the free list without finding a suitably large record allocation.\n", + "name": "bucket_exhausted", + "type": "long" + }, + { + "description": "The number of times mongod has searched for available record allocations.\n", + "name": "requests", + "type": "long" + }, + { + "description": "The number of available record allocations mongod has searched.\n", + "name": "scanned", + "type": "long" + } + ], + "name": "storage.free_list.search", + "type": "group" + }, + { + "description": "Reports on the operation of the resource use of the ttl index process.\n", + "fields": [ + { + "description": "The total number of documents deleted from collections with a ttl index.\n", + "name": "deleted_documents.count", + "type": "long" + }, + { + "description": "The number of times the background process removes documents from collections with a ttl index.\n", + "name": "passes.count", + "type": "long" + } + ], + "name": "ttl", + "type": "group" + } + ], + "name": "metrics", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "replstatus": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "replstatus provides an overview of replica set status.\n", + "fields": [ + { + "description": "oplog provides an overview of replication oplog status, which is retrieved from db.getReplicationInfo().\n", + "fields": [ + { + "description": "The total amount of space used by the replstatus in bytes.\n", + "format": "bytes", + "name": "size.allocated", + "type": "long" + }, + { + "description": "total amount of space allocated to the replstatus in bytes.\n", + "format": "bytes", + "name": "size.used", + "type": "long" + }, + { + "description": "Timestamp of the first (i.e. earliest) operation in the replstatus\n", + "name": "first.timestamp", + "type": "long" + }, + { + "description": "Timestamp of the last (i.e. latest) operation in the replstatus\n", + "name": "last.timestamp", + "type": "long" + }, + { + "description": "The difference between the first and last operation in the replstatus.\n", + "name": "window", + "type": "long" + } + ], + "name": "oplog", + "type": "group" + }, + { + "description": "The name of the replica set.\n", + "name": "set_name", + "type": "keyword" + }, + { + "description": "Reflects the current time according to the server that processed the replSetGetStatus command.\n", + "name": "server_date", + "type": "date" + }, + { + "fields": [ + { + "description": "Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members.\n", + "name": "last_committed", + "type": "long" + }, + { + "description": "Information, from the viewpoint of this member, regarding the most recent operation that has been applied to this member of the replica set.\n", + "name": "applied", + "type": "long" + }, + { + "description": "Information, from the viewpoint of this member, regarding the most recent operation that has been written to the journal of this member of the replica set.\n", + "name": "durable", + "type": "long" + } + ], + "name": "optimes", + "type": "group" + }, + { + "description": "Delay between a write operation on the primary and its copy to a secondary\n", + "fields": [ + { + "description": "Difference between optime of primary and slowest secondary\n", + "format": "duration", + "name": "max", + "type": "long" + }, + { + "description": "Difference between optime of primary and fastest secondary\n", + "format": "duration", + "name": "min", + "type": "long" + } + ], + "name": "lag", + "type": "group" + }, + { + "description": "Difference between the primary's oplog window and the replication lag of the secondary\n", + "fields": [ + { + "description": "Difference between primary's oplog window and the replication lag of the fastest secondary\n", + "format": "duration", + "name": "max", + "type": "long" + }, + { + "description": "Difference between primary's oplog window and the replication lag of the slowest secondary\n", + "format": "duration", + "name": "min", + "type": "long" + } + ], + "name": "headroom", + "type": "group" + }, + { + "description": "Provides information about members of replica set grouped by their state\n", + "fields": [ + { + "description": "Host address of the primary\n", + "name": "primary.host", + "type": "keyword" + }, + { + "description": "Optime of primary\n", + "name": "primary.optime", + "type": "keyword" + }, + { + "description": "List of secondary hosts\n", + "name": "secondary.hosts", + "type": "keyword" + }, + { + "description": "Optimes of secondaries\n", + "name": "secondary.optimes", + "type": "keyword" + }, + { + "descriprtion": "Count of secondaries\n", + "name": "secondary.count", + "type": "long" + }, + { + "description": "List of recovering members hosts\n", + "name": "recovering.hosts", + "type": "keyword" + }, + { + "description": "Count of members in the `recovering` state\n", + "name": "recovering.count", + "type": "long" + }, + { + "description": "List of members' hosts in the `unknown` state\n", + "name": "unknown.hosts", + "type": "keyword" + }, + { + "description": "Count of members with `unknown` state\n", + "name": "unknown.count", + "type": "long" + }, + { + "description": "List of initializing members hosts\n", + "name": "startup2.hosts", + "type": "keyword" + }, + { + "description": "Count of members in the `startup2` state\n", + "name": "startup2.count", + "type": "long" + }, + { + "description": "List of arbiters hosts\n", + "name": "arbiter.hosts", + "type": "keyword" + }, + { + "description": "Count of arbiters\n", + "name": "arbiter.count", + "type": "long" + }, + { + "description": "List of `down` members hosts\n", + "name": "down.hosts", + "type": "keyword" + }, + { + "description": "Count of `down` members\n", + "name": "down.count", + "type": "long" + }, + { + "description": "List of members in the `rollback` state\n", + "name": "rollback.hosts", + "type": "keyword" + }, + { + "description": "Count of members in the `rollback` state\n", + "name": "rollback.count", + "type": "long" + }, + { + "description": "List of members' hosts with healthy = false\n", + "name": "unhealthy.hosts", + "type": "keyword" + }, + { + "description": "Count of unhealthy members\n", + "name": "unhealthy.count", + "type": "long" + } + ], + "name": "members", + "type": "group" + } + ], + "name": "replstatus", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "MongoDB server status metrics.\n", + "fields": [ + { + "description": "Instance version.\n", + "name": "version", + "path": "service.version", + "type": "alias" + }, + { + "description": "The current MongoDB process. Possible values are mongos or mongod.\n", + "name": "process", + "path": "process.name", + "type": "alias" + }, + { + "description": "Instance uptime in milliseconds.\n", + "name": "uptime.ms", + "type": "long" + }, + { + "description": "Local time as reported by the MongoDB instance.\n", + "name": "local_time", + "type": "date" + }, + { + "description": "Number of regular assertions produced by the server.\n", + "name": "asserts.regular", + "type": "long" + }, + { + "description": "Number of warning assertions produced by the server.\n", + "name": "asserts.warning", + "type": "long" + }, + { + "description": "Number of msg assertions produced by the server.\n", + "name": "asserts.msg", + "type": "long" + }, + { + "description": "Number of user assertions produced by the server.\n", + "name": "asserts.user", + "type": "long" + }, + { + "description": "Number of rollovers assertions produced by the server.\n", + "name": "asserts.rollovers", + "type": "long" + }, + { + "description": "Data regarding the current status of incoming connections and availability of the database server.\n", + "fields": [ + { + "description": "The number of connections to the database server from clients. This number includes the current shell session. Consider the value of `available` to add more context to this datum.\n", + "name": "current", + "type": "long" + }, + { + "description": "The number of unused available incoming connections the database can provide.\n", + "name": "available", + "type": "long" + }, + { + "description": "A count of all incoming connections created to the server. This number includes connections that have since closed.\n", + "name": "total_created", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Platform specific data.\n", + "fields": [ + { + "description": "The total size in bytes of heap space used by the database process. Only available on Unix/Linux.\n", + "format": "bytes", + "name": "heap_usage.bytes", + "type": "long" + }, + { + "description": "The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn't available in active memory.\n", + "name": "page_faults", + "type": "long" + } + ], + "name": "extra_info", + "type": "group" + }, + { + "description": "Reports on lock state of the database.\n", + "fields": [ + { + "description": "The time, in microseconds, since the database last started and created the globalLock. This is roughly equivalent to total server uptime.\n", + "name": "total_time.us", + "type": "long" + }, + { + "description": "The number of operations queued because of a lock.\n", + "fields": [ + { + "description": "The total number of operations queued waiting for the lock (i.e., the sum of current_queue.readers and current_queue.writers).\n", + "name": "total", + "type": "long" + }, + { + "description": "The number of operations that are currently queued and waiting for the read lock.\n", + "name": "readers", + "type": "long" + }, + { + "description": "The number of operations that are currently queued and waiting for the write lock.\n", + "name": "writers", + "type": "long" + } + ], + "name": "current_queue", + "type": "group" + }, + { + "description": "The number of connected clients and the read and write operations performed by these clients.\n", + "fields": [ + { + "description": "Total number of the active client connections performing read or write operations.\n", + "name": "total", + "type": "long" + }, + { + "description": "The number of the active client connections performing read operations.\n", + "name": "readers", + "type": "long" + }, + { + "description": "The number of the active client connections performing write operations.\n", + "name": "writers", + "type": "long" + } + ], + "name": "active_clients", + "type": "group" + } + ], + "name": "global_lock", + "type": "group" + }, + { + "description": "A document that reports for each lock , data on lock s. The possible lock s are global, database, collection, metadata and oplog. The possible s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive.\nlocks..acquire.count. shows the number of times the lock was acquired in the specified mode. locks..wait.count. shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks..wait.us. shows the cumulative wait time in microseconds for the lock acquisitions. locks..deadlock.count. shows the number of times the lock acquisitions encountered deadlocks.\n", + "fields": [ + { + "fields": [ + { + "name": "acquire.count.r", + "type": "long" + }, + { + "name": "acquire.count.w", + "type": "long" + }, + { + "name": "acquire.count.R", + "type": "long" + }, + { + "name": "acquire.count.W", + "type": "long" + }, + { + "name": "wait.count.r", + "type": "long" + }, + { + "name": "wait.count.w", + "type": "long" + }, + { + "name": "wait.count.R", + "type": "long" + }, + { + "name": "wait.count.W", + "type": "long" + }, + { + "name": "wait.us.r", + "type": "long" + }, + { + "name": "wait.us.w", + "type": "long" + }, + { + "name": "wait.us.R", + "type": "long" + }, + { + "name": "wait.us.W", + "type": "long" + }, + { + "name": "deadlock.count.r", + "type": "long" + }, + { + "name": "deadlock.count.w", + "type": "long" + }, + { + "name": "deadlock.count.R", + "type": "long" + }, + { + "name": "deadlock.count.W", + "type": "long" + } + ], + "name": "global", + "type": "group" + }, + { + "fields": [ + { + "name": "acquire.count.r", + "type": "long" + }, + { + "name": "acquire.count.w", + "type": "long" + }, + { + "name": "acquire.count.R", + "type": "long" + }, + { + "name": "acquire.count.W", + "type": "long" + }, + { + "name": "wait.count.r", + "type": "long" + }, + { + "name": "wait.count.w", + "type": "long" + }, + { + "name": "wait.count.R", + "type": "long" + }, + { + "name": "wait.count.W", + "type": "long" + }, + { + "name": "wait.us.r", + "type": "long" + }, + { + "name": "wait.us.w", + "type": "long" + }, + { + "name": "wait.us.R", + "type": "long" + }, + { + "name": "wait.us.W", + "type": "long" + }, + { + "name": "deadlock.count.r", + "type": "long" + }, + { + "name": "deadlock.count.w", + "type": "long" + }, + { + "name": "deadlock.count.R", + "type": "long" + }, + { + "name": "deadlock.count.W", + "type": "long" + } + ], + "name": "database", + "type": "group" + }, + { + "fields": [ + { + "name": "acquire.count.r", + "type": "long" + }, + { + "name": "acquire.count.w", + "type": "long" + }, + { + "name": "acquire.count.R", + "type": "long" + }, + { + "name": "acquire.count.W", + "type": "long" + }, + { + "name": "wait.count.r", + "type": "long" + }, + { + "name": "wait.count.w", + "type": "long" + }, + { + "name": "wait.count.R", + "type": "long" + }, + { + "name": "wait.count.W", + "type": "long" + }, + { + "name": "wait.us.r", + "type": "long" + }, + { + "name": "wait.us.w", + "type": "long" + }, + { + "name": "wait.us.R", + "type": "long" + }, + { + "name": "wait.us.W", + "type": "long" + }, + { + "name": "deadlock.count.r", + "type": "long" + }, + { + "name": "deadlock.count.w", + "type": "long" + }, + { + "name": "deadlock.count.R", + "type": "long" + }, + { + "name": "deadlock.count.W", + "type": "long" + } + ], + "name": "collection", + "type": "group" + }, + { + "fields": [ + { + "name": "acquire.count.r", + "type": "long" + }, + { + "name": "acquire.count.w", + "type": "long" + }, + { + "name": "acquire.count.R", + "type": "long" + }, + { + "name": "acquire.count.W", + "type": "long" + }, + { + "name": "wait.count.r", + "type": "long" + }, + { + "name": "wait.count.w", + "type": "long" + }, + { + "name": "wait.count.R", + "type": "long" + }, + { + "name": "wait.count.W", + "type": "long" + }, + { + "name": "wait.us.r", + "type": "long" + }, + { + "name": "wait.us.w", + "type": "long" + }, + { + "name": "wait.us.R", + "type": "long" + }, + { + "name": "wait.us.W", + "type": "long" + }, + { + "name": "deadlock.count.r", + "type": "long" + }, + { + "name": "deadlock.count.w", + "type": "long" + }, + { + "name": "deadlock.count.R", + "type": "long" + }, + { + "name": "deadlock.count.W", + "type": "long" + } + ], + "name": "meta_data", + "type": "group" + }, + { + "fields": [ + { + "name": "acquire.count.r", + "type": "long" + }, + { + "name": "acquire.count.w", + "type": "long" + }, + { + "name": "acquire.count.R", + "type": "long" + }, + { + "name": "acquire.count.W", + "type": "long" + }, + { + "name": "wait.count.r", + "type": "long" + }, + { + "name": "wait.count.w", + "type": "long" + }, + { + "name": "wait.count.R", + "type": "long" + }, + { + "name": "wait.count.W", + "type": "long" + }, + { + "name": "wait.us.r", + "type": "long" + }, + { + "name": "wait.us.w", + "type": "long" + }, + { + "name": "wait.us.R", + "type": "long" + }, + { + "name": "wait.us.W", + "type": "long" + }, + { + "name": "deadlock.count.r", + "type": "long" + }, + { + "name": "deadlock.count.w", + "type": "long" + }, + { + "name": "deadlock.count.R", + "type": "long" + }, + { + "name": "deadlock.count.W", + "type": "long" + } + ], + "name": "oplog", + "type": "group" + } + ], + "name": "locks", + "type": "group" + }, + { + "description": "Platform specific data.\n", + "fields": [ + { + "description": "The amount of network traffic, in bytes, received by this database.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "The amount of network traffic, in bytes, sent from this database.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "The total number of requests received by the server.\n", + "name": "requests", + "type": "long" + } + ], + "name": "network", + "type": "group" + }, + { + "description": "Operation latencies for the database as a whole. Only mongod instances report this metric.\n", + "fields": [ + { + "description": "Total combined latency in microseconds.\n", + "name": "reads.latency", + "type": "long" + }, + { + "description": "Total number of read operations performed on the collection since startup.\n", + "name": "reads.count", + "type": "long" + }, + { + "description": "Total combined latency in microseconds.\n", + "name": "writes.latency", + "type": "long" + }, + { + "description": "Total number of write operations performed on the collection since startup.\n", + "name": "writes.count", + "type": "long" + }, + { + "description": "Total combined latency in microseconds.\n", + "name": "commands.latency", + "type": "long" + }, + { + "description": "Total number of commands performed on the collection since startup.\n", + "name": "commands.count", + "type": "long" + } + ], + "name": "ops.latencies", + "type": "group" + }, + { + "description": "An overview of database operations by type.\n", + "fields": [ + { + "description": "The total number of insert operations received since the mongod instance last started.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The total number of queries received since the mongod instance last started.\n", + "name": "query", + "type": "long" + }, + { + "description": "The total number of update operations received since the mongod instance last started.\n", + "name": "update", + "type": "long" + }, + { + "description": "The total number of delete operations received since the mongod instance last started.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The total number of getmore operations received since the mongod instance last started.\n", + "name": "getmore", + "type": "long" + }, + { + "description": "The total number of commands issued to the database since the mongod instance last started.\n", + "name": "command", + "type": "long" + } + ], + "name": "ops.counters", + "type": "group" + }, + { + "description": "An overview of database replication operations by type.\n", + "fields": [ + { + "description": "The total number of replicated insert operations received since the mongod instance last started.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The total number of replicated queries received since the mongod instance last started.\n", + "name": "query", + "type": "long" + }, + { + "description": "The total number of replicated update operations received since the mongod instance last started.\n", + "name": "update", + "type": "long" + }, + { + "description": "The total number of replicated delete operations received since the mongod instance last started.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The total number of replicated getmore operations received since the mongod instance last started.\n", + "name": "getmore", + "type": "long" + }, + { + "description": "The total number of replicated commands issued to the database since the mongod instance last started.\n", + "name": "command", + "type": "long" + } + ], + "name": "ops.replicated", + "type": "group" + }, + { + "description": "Data about the current memory usage of the mongod server.\n", + "fields": [ + { + "description": "Either 64 or 32, depending on which target architecture was specified during the mongod compilation process.\n", + "name": "bits", + "type": "long" + }, + { + "description": "The amount of RAM, in megabytes (MB), currently used by the database process.\n", + "name": "resident.mb", + "type": "long" + }, + { + "description": "The amount, in megabytes (MB), of virtual memory used by the mongod process.\n", + "name": "virtual.mb", + "type": "long" + }, + { + "description": "The amount of mapped memory, in megabytes (MB), used by the database. Because MongoDB uses memory-mapped files, this value is likely to be to be roughly equivalent to the total size of your database or databases.\n", + "name": "mapped.mb", + "type": "long" + }, + { + "description": "The amount of mapped memory, in megabytes (MB), including the memory used for journaling.\n", + "name": "mapped_with_journal.mb", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "True when there are operations from a mongos instance queued for retrying.\n", + "name": "write_backs_queued", + "type": "boolean" + }, + { + "description": "A string that represents the name of the current storage engine.\n", + "name": "storage_engine.name", + "type": "keyword" + }, + { + "description": "Statistics about the WiredTiger storage engine.\n", + "fields": [ + { + "description": "Statistics about the transactions currently in progress.\n", + "fields": [ + { + "description": "Number of concurrent write transaction in progress.\n", + "name": "write.out", + "type": "long" + }, + { + "description": "Number of concurrent write tickets available.\n", + "name": "write.available", + "type": "long" + }, + { + "description": "Number of total write tickets.\n", + "name": "write.total_tickets", + "type": "long" + }, + { + "description": "Number of concurrent read transaction in progress.\n", + "name": "read.out", + "type": "long" + }, + { + "description": "Number of concurrent read tickets available.\n", + "name": "read.available", + "type": "long" + }, + { + "description": "Number of total read tickets.\n", + "name": "read.total_tickets", + "type": "long" + } + ], + "name": "concurrent_transactions", + "type": "group" + }, + { + "description": "Statistics about the cache and page evictions from the cache.\n", + "fields": [ + { + "description": "Maximum cache size.\n", + "format": "bytes", + "name": "maximum.bytes", + "type": "long" + }, + { + "description": "Size in byte of the data currently in cache.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Size in bytes of the dirty data in the cache.\n", + "format": "bytes", + "name": "dirty.bytes", + "type": "long" + }, + { + "description": "Number of pages read into the cache.\n", + "name": "pages.read", + "type": "long" + }, + { + "description": "Number of pages written from the cache.\n", + "name": "pages.write", + "type": "long" + }, + { + "description": "Number of pages evicted from the cache.\n", + "name": "pages.evicted", + "type": "long" + } + ], + "name": "cache", + "type": "group" + }, + { + "description": "Statistics about the write ahead log used by WiredTiger.\n", + "fields": [ + { + "description": "Total log size in bytes.\n", + "format": "bytes", + "name": "size.bytes", + "type": "long" + }, + { + "description": "Number of bytes written into the log.\n", + "format": "bytes", + "name": "write.bytes", + "type": "long" + }, + { + "description": "Maximum file size.\n", + "format": "bytes", + "name": "max_file_size.bytes", + "type": "long" + }, + { + "description": "Number of flush operations.\n", + "name": "flushes", + "type": "long" + }, + { + "description": "Number of write operations.\n", + "name": "writes", + "type": "long" + }, + { + "description": "Number of scan operations.\n", + "name": "scans", + "type": "long" + }, + { + "description": "Number of sync operations.\n", + "name": "syncs", + "type": "long" + } + ], + "name": "log", + "type": "group" + } + ], + "name": "wired_tiger", + "type": "group" + }, + { + "description": "Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine.\n", + "fields": [ + { + "description": "A counter that collects the number of times the database has flushed all writes to disk.\n", + "name": "flushes", + "type": "long" + }, + { + "description": "The total number of milliseconds (ms) that the mongod processes have spent writing (i.e. flushing) data to disk. Because this is an absolute value, consider the value of `flushes` and `average_ms` to provide better context for this datum.\n", + "name": "total.ms", + "type": "long" + }, + { + "description": "The average time spent flushing to disk per flush event.\n", + "name": "average.ms", + "type": "long" + }, + { + "description": "The amount of time, in milliseconds, that the last flush operation took to complete.\n", + "name": "last.ms", + "type": "long" + }, + { + "description": "A timestamp of the last completed flush operation.\n", + "name": "last_finished", + "type": "date" + } + ], + "name": "background_flushing", + "type": "group" + }, + { + "description": "Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled.\n", + "fields": [ + { + "description": "The number of transactions written to the journal during the last journal group commit interval.\n", + "name": "commits", + "type": "long" + }, + { + "description": "The amount of data in megabytes (MB) written to journal during the last journal group commit interval.\n", + "name": "journaled.mb", + "type": "long" + }, + { + "description": "The amount of data in megabytes (MB) written from journal to the data files during the last journal group commit interval.\n", + "name": "write_to_data_files.mb", + "type": "long" + }, + { + "description": "The compression ratio of the data written to the journal.\n", + "name": "compression", + "type": "long" + }, + { + "description": "Count of the commits that occurred while a write lock was held. Commits in a write lock indicate a MongoDB node under a heavy write load and call for further diagnosis.\n", + "name": "commits_in_write_lock", + "type": "long" + }, + { + "description": "The number of times MongoDB requested a commit before the scheduled journal group commit interval.\n", + "name": "early_commits", + "type": "long" + }, + { + "description": "Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval.\n", + "fields": [ + { + "description": "The amount of time over which MongoDB collected the times data. Use this field to provide context to the other times field values.\n", + "name": "dt.ms", + "type": "long" + }, + { + "description": "The amount of time spent preparing to write to the journal. Smaller values indicate better journal performance.\n", + "name": "prep_log_buffer.ms", + "type": "long" + }, + { + "description": "The amount of time spent actually writing to the journal. File system speeds and device interfaces can affect performance.\n", + "name": "write_to_journal.ms", + "type": "long" + }, + { + "description": "The amount of time spent writing to data files after journaling. File system speeds and device interfaces can affect performance.\n", + "name": "write_to_data_files.ms", + "type": "long" + }, + { + "description": "The amount of time spent remapping copy-on-write memory mapped views. Smaller values indicate better journal performance.\n", + "name": "remap_private_view.ms", + "type": "long" + }, + { + "description": "The amount of time spent for commits.\n", + "name": "commits.ms", + "type": "long" + }, + { + "description": "The amount of time spent for commits that occurred while a write lock was held.\n", + "name": "commits_in_write_lock.ms", + "type": "long" + } + ], + "name": "times", + "type": "group" + } + ], + "name": "journaling", + "type": "group" + } + ], + "name": "status", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "mssql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "sqlserver://localhost" + ], + "metricsets": [ + "transaction_log", + "performance" + ], + "module": "mssql", + "password": "verysecurepassword", + "period": "10s", + "username": "domain\\username" + } + ], + "fields.yml": [ + { + "description": "MS SQL module", + "fields": [ + { + "description": "The root field containing all MSSQL fields", + "fields": [ + { + "description": "The database that the metrics is being referred to", + "fields": [ + { + "description": "Unique ID of the database inside MSSQL", + "name": "id", + "type": "long" + }, + { + "description": "Name of the database", + "name": "name", + "type": "keyword" + } + ], + "name": "database", + "type": "group" + } + ], + "name": "mssql", + "type": "group" + } + ], + "key": "mssql", + "release": "beta", + "title": "MSSQL" + } + ] + } + }, + "performance": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "performance metricset fetches information about the Performance Counters", + "fields": [ + { + "description": "Number of page splits per second that occur as the result of overflowing index pages.", + "name": "page_splits_per_sec", + "type": "long" + }, + { + "description": "Number of lock requests per second that required the caller to wait.", + "name": "lock_waits_per_sec", + "type": "long" + }, + { + "description": "Total number of user connections", + "name": "user_connections", + "type": "long" + }, + { + "description": "Total number of transactions", + "name": "transactions", + "type": "long" + }, + { + "description": "Number of temporary tables/table variables in use.", + "name": "active_temp_tables", + "type": "long" + }, + { + "description": "Total number of logins started from the connection pool.", + "name": "connections_reset_per_sec", + "type": "long" + }, + { + "description": "Total number of logins started per second. This does not include pooled connections.", + "name": "logins_per_sec", + "type": "long" + }, + { + "description": "Total number of logout operations started per second.", + "name": "logouts_per_sec", + "type": "long" + }, + { + "description": "Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low.", + "name": "recompilations_per_sec", + "type": "long" + }, + { + "description": "Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state.", + "name": "compilations_per_sec", + "type": "long" + }, + { + "description": "Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput.", + "name": "batch_requests_per_sec", + "type": "long" + }, + { + "fields": [ + { + "description": "Indicates the percentage of pages found in the buffer cache without having to read from disk.", + "fields": [ + { + "description": "The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high", + "name": "pct", + "type": "double" + } + ], + "name": "cache_hit", + "type": "group" + }, + { + "description": "Indicates the number of seconds a page will stay in the buffer pool without references.", + "fields": [ + { + "description": "Indicates the number of seconds a page will stay in the buffer pool without references (in seconds).", + "name": "sec", + "type": "long" + } + ], + "name": "page_life_expectancy", + "type": "group" + }, + { + "description": "Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed.", + "name": "checkpoint_pages_per_sec", + "type": "long" + }, + { + "description": "Indicates the number of pages in the buffer pool with database content.", + "fields": null, + "name": "database_pages", + "type": "long" + }, + { + "description": "Ideal number of pages in the buffer pool.", + "fields": null, + "name": "target_pages", + "type": "long" + } + ], + "name": "buffer", + "type": "group" + } + ], + "name": "performance", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "transaction_log": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "transaction_log metricset will fetch information about the operation and transaction log of each database from a MSSQL instance", + "fields": [ + { + "description": "Space usage information for the transaction log", + "fields": [ + { + "description": "The amount of space used since the last log backup", + "fields": [ + { + "description": "The amount of space used since the last log backup in bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "since_last_backup", + "type": "group" + }, + { + "description": "The size of the log", + "fields": [ + { + "description": "The size of the log in bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "total", + "type": "group" + }, + { + "description": "The occupied size of the log", + "fields": [ + { + "description": "The occupied size of the log in bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "A percentage of the occupied size of the log as a percent of the total log size", + "name": "pct", + "type": "float" + } + ], + "name": "used", + "type": "group" + } + ], + "name": "space_usage", + "type": "group" + }, + { + "description": "Returns summary level attributes and information on transaction log files of databases. Use this information for monitoring and diagnostics of transaction log health.", + "fields": [ + { + "description": "Total active transaction log size.", + "fields": [ + { + "description": "Total active transaction log size in bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "active_size", + "type": "group" + }, + { + "description": "Last transaction log backup time.", + "name": "backup_time", + "type": "date" + }, + { + "description": "Log size since log recovery log sequence number (LSN).", + "fields": [ + { + "description": "Log size in bytes since log recovery log sequence number (LSN).", + "name": "bytes", + "type": "long" + } + ], + "name": "recovery_size", + "type": "group" + }, + { + "description": "Log size since last checkpoint log sequence number (LSN).", + "fields": [ + { + "description": "Log size in bytes since last checkpoint log sequence number (LSN).", + "name": "bytes", + "type": "long" + } + ], + "name": "since_last_checkpoint", + "type": "group" + }, + { + "description": "Total transaction log size.", + "fields": [ + { + "description": "Total transaction log size in bytes.", + "name": "bytes", + "type": "long" + } + ], + "name": "total_size", + "type": "group" + } + ], + "name": "stats", + "type": "group" + } + ], + "name": "transaction_log", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "munin": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:4949" + ], + "module": "munin", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Munin node metrics exporter\n", + "fields": [ + { + "description": "Metrics exposed by a plugin of a munin node agent.\n", + "name": "munin.metrics.*", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Name of the plugin collecting these metrics.\n", + "name": "munin.plugin.name", + "type": "keyword" + }, + { + "fields": null, + "name": "munin", + "type": "group" + } + ], + "key": "munin", + "release": "ga", + "title": "Munin" + } + ] + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "ga" + } + ] + } + } + } + } + } + }, + "mysql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "root:secret@tcp(127.0.0.1:3306)/" + ], + "module": "mysql", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "MySQL server status metrics collected from MySQL.\n", + "fields": [ + { + "description": "`mysql` contains the metrics that were obtained from MySQL query.\n", + "fields": null, + "name": "mysql", + "type": "group" + } + ], + "key": "mysql", + "release": "ga", + "short_config": false, + "title": "MySQL" + } + ] + } + }, + "galera_status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`galera_status` contains the metrics that were obtained by the status SQL query on Galera.\n", + "fields": [ + { + "description": "Apply status fields.\n", + "fields": [ + { + "description": "How often applier started write-set applying out-of-order (parallelization efficiency).\n", + "name": "oooe", + "type": "double" + }, + { + "description": "How often write-set was so slow to apply that write-set with higher seqno's were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets.\n", + "name": "oool", + "type": "double" + }, + { + "description": "Average distance between highest and lowest concurrently applied seqno.\n", + "name": "window", + "type": "double" + } + ], + "name": "apply", + "type": "group" + }, + { + "description": "Certification status fields.\n", + "fields": [ + { + "description": "Average distance between highest and lowest seqno value that can be possibly applied in parallel (potential degree of parallelization).\n", + "name": "deps_distance", + "type": "double" + }, + { + "description": "The number of entries in the certification index.\n", + "name": "index_size", + "type": "long" + }, + { + "description": "Average number of transactions received while a transaction replicates.\n", + "name": "interval", + "type": "double" + } + ], + "name": "cert", + "type": "group" + }, + { + "description": "Cluster status fields.\n", + "fields": [ + { + "description": "Total number of cluster membership changes happened.\n", + "name": "conf_id", + "type": "long" + }, + { + "description": "Current number of members in the cluster.\n", + "name": "size", + "type": "long" + }, + { + "description": "Status of this cluster component. That is, whether the node is part of a PRIMARY or NON_PRIMARY component.\n", + "name": "status", + "type": "keyword" + } + ], + "name": "cluster", + "type": "group" + }, + { + "description": "Commit status fields.\n", + "fields": [ + { + "description": "How often a transaction was committed out of order.\n", + "name": "oooe", + "type": "double" + }, + { + "description": "Average distance between highest and lowest concurrently committed seqno.\n", + "name": "window", + "type": "long" + } + ], + "name": "commit", + "type": "group" + }, + { + "description": "If the value is OFF, the node has not yet connected to any of the cluster components. This may be due to misconfiguration. Check the error log for proper diagnostics.\n", + "name": "connected", + "type": "keyword" + }, + { + "description": "Evs Fields.\n", + "fields": [ + { + "description": "Lists the UUID's of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes.\n", + "name": "evict", + "type": "keyword" + }, + { + "description": "Shows the internal state of the EVS Protocol.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "evs", + "type": "group" + }, + { + "description": "Flow Control fields.\n", + "fields": [ + { + "description": "The fraction of time since the last FLUSH STATUS command that replication was paused due to flow control. In other words, how much the slave lag is slowing down the cluster.\n", + "name": "paused", + "type": "double" + }, + { + "description": "The total time spent in a paused state measured in nanoseconds.\n", + "name": "paused_ns", + "type": "long" + }, + { + "description": "Returns the number of FC_PAUSE events the node has received, including those the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.\n", + "name": "recv", + "type": "long" + }, + { + "description": "Returns the number of FC_PAUSE events the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.\n", + "name": "sent", + "type": "long" + } + ], + "name": "flow_ctl", + "type": "group" + }, + { + "description": "The sequence number, or seqno, of the last committed transaction.\n", + "name": "last_committed", + "type": "long" + }, + { + "description": "Node specific Cluster status fields.\n", + "fields": [ + { + "description": "Total number of local transactions that were aborted by slave transactions while in execution.\n", + "name": "bf_aborts", + "type": "long" + }, + { + "description": "Total number of local transactions that failed certification test.\n", + "name": "cert_failures", + "type": "long" + }, + { + "description": "Total number of local transactions committed.\n", + "name": "commits", + "type": "long" + }, + { + "description": "Node specific recv fields.\n", + "fields": [ + { + "description": "Current (instantaneous) length of the recv queue.\n", + "name": "queue", + "type": "long" + }, + { + "description": "Recv queue length averaged over interval since the last FLUSH STATUS command. Values considerably larger than 0.0 mean that the node cannot apply write-sets as fast as they are received and will generate a lot of replication throttling.\n", + "name": "queue_avg", + "type": "double" + }, + { + "description": "The maximum length of the recv queue since the last FLUSH STATUS command.\n", + "name": "queue_max", + "type": "long" + }, + { + "description": "The minimum length of the recv queue since the last FLUSH STATUS command.\n", + "name": "queue_min", + "type": "long" + } + ], + "name": "recv", + "type": "group" + }, + { + "description": "Total number of transaction replays due to asymmetric lock granularity.\n", + "name": "replays", + "type": "long" + }, + { + "description": "Node specific sent fields.\n", + "fields": [ + { + "description": "Current (instantaneous) length of the send queue.\n", + "name": "queue", + "type": "long" + }, + { + "description": "Send queue length averaged over time since the last FLUSH STATUS command. Values considerably larger than 0.0 indicate replication throttling or network throughput issue.\n", + "name": "queue_avg", + "type": "double" + }, + { + "description": "The maximum length of the send queue since the last FLUSH STATUS command.\n", + "name": "queue_max", + "type": "long" + }, + { + "description": "The minimum length of the send queue since the last FLUSH STATUS command.\n", + "name": "queue_min", + "type": "long" + } + ], + "name": "send", + "type": "group" + }, + { + "description": "Internal Galera Cluster FSM state number.\n", + "name": "state", + "type": "keyword" + } + ], + "name": "local", + "type": "group" + }, + { + "description": "Whether the server is ready to accept queries.\n", + "name": "ready", + "type": "keyword" + }, + { + "description": "Write-Set receive status fields.\n", + "fields": [ + { + "description": "Total number of write-sets received from other nodes.\n", + "name": "count", + "type": "long" + }, + { + "description": "Total size of write-sets received from other nodes.\n", + "name": "bytes", + "type": "long" + } + ], + "name": "received", + "type": "group" + }, + { + "description": "Replication status fields.\n", + "fields": [ + { + "description": "Total size of data replicated.\n", + "name": "data_bytes", + "type": "long" + }, + { + "description": "Total number of keys replicated.\n", + "name": "keys", + "type": "long" + }, + { + "description": "Total size of keys replicated.\n", + "name": "keys_bytes", + "type": "long" + }, + { + "description": "Total size of other bits replicated.\n", + "name": "other_bytes", + "type": "long" + }, + { + "description": "Total number of write-sets replicated (sent to other nodes).\n", + "name": "count", + "type": "long" + }, + { + "description": "Total size of write-sets replicated.\n", + "name": "bytes", + "type": "long" + } + ], + "name": "repl", + "type": "group" + } + ], + "name": "galera_status", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "performance": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`performance` contains metrics related to the performance of a MySQL instance\n", + "fields": [ + { + "description": "Records statement events summarized by schema and digest", + "fields": [ + { + "description": "Maximum wait time of the summarized events that are timed", + "name": "max.timer.wait", + "type": "long" + }, + { + "description": "Time at which the digest was most recently seen", + "name": "last.seen", + "type": "date" + }, + { + "description": "The 95th percentile of the statement latency, in picoseconds", + "name": "quantile.95", + "type": "long" + }, + { + "description": "Performance schema digest", + "name": "digest", + "type": "text" + }, + { + "description": "Number of summarized events", + "name": "count.star", + "type": "long" + }, + { + "description": "Average wait time of the summarized events that are timed", + "name": "avg.timer.wait", + "type": "long" + } + ], + "name": "events_statements", + "type": "group" + }, + { + "description": "Records table I/O waits by index", + "fields": [ + { + "fields": [ + { + "description": "Schema name", + "name": "schema", + "type": "keyword" + }, + { + "description": "Table name", + "name": "name", + "type": "keyword" + } + ], + "name": "object", + "type": "group" + }, + { + "description": "Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL\n", + "name": "index.name", + "type": "keyword" + }, + { + "description": "Number of all fetch operations > 0", + "name": "count.fetch", + "type": "long" + } + ], + "name": "table_io_waits", + "type": "group" + } + ], + "name": "performance", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "query": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`query` metricset fetches custom queries from the user to a MySQL instance.\n", + "fields": null, + "name": "query", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`status` contains the metrics that were obtained by the status SQL query.\n", + "fields": [ + { + "description": "Aborted status fields.\n", + "fields": [ + { + "description": "The number of connections that were aborted because the client died without closing the connection properly.\n", + "name": "clients", + "type": "long" + }, + { + "description": "The number of failed attempts to connect to the MySQL server.\n", + "name": "connects", + "type": "long" + } + ], + "name": "aborted", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "The number of errors that occurred while searching for connecting client IP addresses.", + "name": "peer_address", + "type": "long" + }, + { + "description": "The number of errors that occurred during calls to accept() on the listening port.", + "name": "accept", + "type": "long" + }, + { + "description": "The number of connections refused due to internal errors in the server, such as failure to start a new thread or an out-of-memory condition.\n", + "name": "internal", + "type": "long" + }, + { + "description": "The number of connections refused because the server max_connections limit was reached. thread or an out-of-memory condition.", + "name": "max", + "type": "long" + }, + { + "description": "The number of connections refused by the libwrap library.", + "name": "tcpwrap", + "type": "long" + }, + { + "description": "The number of errors that occurred during calls to select() or poll() on the listening port. (Failure of this operation does not necessarily means a client connection was rejected.)\n", + "name": "select", + "type": "long" + } + ], + "name": "errors", + "type": "group" + } + ], + "name": "connection", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "SSL session cache hits and misses.", + "fields": [ + { + "description": "The number of SSL session cache hits.", + "name": "hits", + "type": "long" + }, + { + "description": "The number of SSL session cache misses.", + "name": "misses", + "type": "long" + }, + { + "description": "The SSL session cache size.", + "name": "size", + "type": "long" + } + ], + "name": "ssl", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "The number of hits for open tables cache lookups.", + "name": "hits", + "type": "long" + }, + { + "description": "The number of misses for open tables cache lookups.", + "name": "misses", + "type": "long" + }, + { + "description": "Number of times, after a table is opened or closed, a cache instance has an unused entry and the size of the instance is larger than table_open_cache / table_open_cache_instances\n", + "name": "overflows", + "type": "long" + } + ], + "name": "open_cache", + "type": "group" + } + ], + "name": "table", + "type": "group" + } + ], + "name": "cache", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "cache.disk_use", + "type": "long" + }, + { + "description": "", + "name": "cache.use", + "type": "long" + } + ], + "name": "binlog", + "type": "group" + }, + { + "description": "Bytes stats.\n", + "fields": [ + { + "description": "The number of bytes received from all clients.\n", + "format": "bytes", + "name": "received", + "type": "long" + }, + { + "description": "The number of bytes sent to all clients.\n", + "format": "bytes", + "name": "sent", + "type": "long" + } + ], + "name": "bytes", + "type": "group" + }, + { + "description": "Threads stats.\n", + "fields": [ + { + "description": "The number of cached threads.\n", + "name": "cached", + "type": "long" + }, + { + "description": "The number of created threads.\n", + "name": "created", + "type": "long" + }, + { + "description": "The number of connected threads.\n", + "name": "connected", + "type": "long" + }, + { + "description": "The number of running threads.\n", + "name": "running", + "type": "long" + } + ], + "name": "threads", + "type": "group" + }, + { + "description": "", + "name": "connections", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "tmp.disk_tables", + "type": "long" + }, + { + "description": "", + "name": "tmp.files", + "type": "long" + }, + { + "description": "", + "name": "tmp.tables", + "type": "long" + } + ], + "name": "created", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "errors", + "type": "long" + }, + { + "description": "", + "name": "insert_threads", + "type": "long" + }, + { + "description": "", + "name": "writes", + "type": "long" + } + ], + "name": "delayed", + "type": "group" + }, + { + "description": "", + "name": "flush_commands", + "type": "long" + }, + { + "description": "", + "name": "max_used_connections", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "", + "name": "files", + "type": "long" + }, + { + "description": "", + "name": "streams", + "type": "long" + }, + { + "description": "", + "name": "tables", + "type": "long" + } + ], + "name": "open", + "type": "group" + }, + { + "description": "", + "name": "opened_tables", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "The number of DELETE queries since startup.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The number of INSERT queries since startup.\n", + "name": "insert", + "type": "long" + }, + { + "description": "The number of SELECT queries since startup.\n", + "name": "select", + "type": "long" + }, + { + "description": "The number of UPDATE queries since startup.\n", + "name": "update", + "type": "long" + } + ], + "name": "command", + "type": "group" + }, + { + "description": "The number of statements executed by the server. This variable includes statements executed within stored programs, unlike the Questions variable. It does not count COM_PING or COM_STATISTICS commands.\n", + "name": "queries", + "type": "long" + }, + { + "description": "The number of statements executed by the server. This includes only statements sent to the server by clients and not statements executed within stored programs, unlike the Queries variable. This variable does not count COM_PING, COM_STATISTICS, COM_STMT_PREPARE, COM_STMT_CLOSE, or COM_STMT_RESET commands.\n", + "name": "questions", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "The number of internal COMMIT statements.\n", + "name": "commit", + "type": "long" + }, + { + "description": "The number of times that rows have been deleted from tables.\n", + "name": "delete", + "type": "long" + }, + { + "description": "The server increments this variable for each call to its external_lock() function, which generally occurs at the beginning and end of access to a table instance.\n", + "name": "external_lock", + "type": "long" + }, + { + "description": "The number of times the server uses a storage engine's own Multi-Range Read implementation for table access.\n", + "name": "mrr_init", + "type": "long" + }, + { + "description": "A counter for the prepare phase of two-phase commit operations.\n", + "name": "prepare", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "The number of times the first entry in an index was read.\n", + "name": "first", + "type": "long" + }, + { + "description": "The number of requests to read a row based on a key.\n", + "name": "key", + "type": "long" + }, + { + "description": "The number of requests to read the last key in an index.\n", + "name": "last", + "type": "long" + }, + { + "description": "The number of requests to read the next row in key order.\n", + "name": "next", + "type": "long" + }, + { + "description": "The number of requests to read the previous row in key order.\n", + "name": "prev", + "type": "long" + }, + { + "description": "The number of requests to read a row based on a fixed position.\n", + "name": "rnd", + "type": "long" + }, + { + "description": "The number of requests to read the next row in the data file.\n", + "name": "rnd_next", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "description": "The number of requests for a storage engine to perform a rollback operation.\n", + "name": "rollback", + "type": "long" + }, + { + "description": "The number of requests for a storage engine to place a savepoint.\n", + "name": "savepoint", + "type": "long" + }, + { + "description": "The number of requests for a storage engine to roll back to a savepoint.\n", + "name": "savepoint_rollback", + "type": "long" + }, + { + "description": "The number of requests to update a row in a table.\n", + "name": "update", + "type": "long" + }, + { + "description": "The number of requests to insert a row in a table.\n", + "name": "write", + "type": "long" + } + ], + "name": "handler", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "The number of rows reads into InnoDB tables.", + "name": "reads", + "type": "long" + }, + { + "description": "The number of rows inserted into InnoDB tables.", + "name": "inserted", + "type": "long" + }, + { + "description": "The number of rows deleted into InnoDB tables.", + "name": "deleted", + "type": "long" + }, + { + "description": "The number of rows updated into InnoDB tables.", + "name": "updated", + "type": "long" + } + ], + "name": "rows", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "The progress of an operation to record the pages held in the InnoDB buffer pool, triggered by the setting of innodb_buffer_pool_dump_at_shutdown or innodb_buffer_pool_dump_now.\n", + "name": "dump_status", + "type": "long" + }, + { + "description": "The progress of an operation to warm up the InnoDB buffer pool by reading in a set of pages corresponding to an earlier point in time, triggered by the setting of innodb_buffer_pool_load_at_startup or innodb_buffer_pool_load_now.\n", + "name": "load_status", + "type": "long" + }, + { + "description": "", + "fields": [ + { + "description": "The total number of bytes in the InnoDB buffer pool containing data.\n", + "name": "data", + "type": "long" + }, + { + "description": "The total current number of bytes held in dirty pages in the InnoDB buffer pool.\n", + "name": "dirty", + "type": "long" + } + ], + "name": "bytes", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "he number of pages in the InnoDB buffer pool containing data.\n", + "name": "data", + "type": "long" + }, + { + "description": "The current number of dirty pages in the InnoDB buffer pool.\n", + "name": "dirty", + "type": "long" + }, + { + "description": "The number of requests to flush pages from the InnoDB buffer pool.\n", + "name": "flushed", + "type": "long" + }, + { + "description": "The number of free pages in the InnoDB buffer pool.\n", + "name": "free", + "type": "long" + }, + { + "description": "The number of latched pages in the InnoDB buffer pool.\n", + "name": "latched", + "type": "long" + }, + { + "description": "The number of pages in the InnoDB buffer pool that are busy because they have been allocated for administrative overhead, such as row locks or the adaptive hash index.\n", + "name": "misc", + "type": "long" + }, + { + "description": "The total size of the InnoDB buffer pool, in pages.\n", + "name": "total", + "type": "long" + } + ], + "name": "pages", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "The number of pages read into the InnoDB buffer pool by the read-ahead background thread.\n", + "name": "ahead", + "type": "long" + }, + { + "description": "The number of pages read into the InnoDB buffer pool by the read-ahead background thread that were subsequently evicted without having been accessed by queries.\n", + "name": "ahead_evicted", + "type": "long" + }, + { + "description": "The number of \"random\" read-aheads initiated by InnoDB.\n", + "name": "ahead_rnd", + "type": "long" + }, + { + "description": "The number of logical read requests.\n", + "name": "requests", + "type": "long" + } + ], + "name": "read", + "type": "group" + }, + { + "description": "", + "fields": [ + { + "description": "The number of logical reads that InnoDB could not satisfy from the buffer pool, and had to read directly from disk.\n", + "name": "reads", + "type": "long" + }, + { + "description": "The status of an operation to resize the InnoDB buffer pool dynamically, triggered by setting the innodb_buffer_pool_size parameter dynamically.\n", + "name": "resize_status", + "type": "long" + }, + { + "description": "Normally, writes to the InnoDB buffer pool happen in the background. When InnoDB needs to read or create a page and no clean pages are available, InnoDB flushes some dirty pages first and waits for that operation to finish. This counter counts instances of these waits.\n", + "name": "wait_free", + "type": "long" + } + ], + "name": "pool", + "type": "group" + }, + { + "description": "The number of writes done to the InnoDB buffer pool.\n", + "name": "write_requests", + "type": "long" + } + ], + "name": "buffer_pool", + "type": "group" + } + ], + "name": "innodb", + "type": "group" + } + ], + "name": "status", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "nats": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8222" + ], + "metricsets": [ + "connections", + "routes", + "stats", + "subscriptions" + ], + "module": "nats", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "nats Module\n", + "fields": [ + { + "description": "`nats` contains statistics that were read from Nats\n", + "fields": [ + { + "description": "The server ID\n", + "name": "server.id", + "type": "keyword" + }, + { + "description": "Server time of metric creation\n", + "name": "server.time", + "type": "date" + } + ], + "name": "nats", + "type": "group" + } + ], + "key": "nats", + "release": "ga", + "title": "NATS" + } + ] + } + }, + "connections": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains nats connection related metrics\n", + "fields": [ + { + "description": "The number of currently active clients\n", + "name": "total", + "type": "integer" + } + ], + "name": "connections", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "routes": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains nats route related metrics\n", + "fields": [ + { + "description": "The number of registered routes\n", + "name": "total", + "type": "integer" + } + ], + "name": "routes", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains nats var related metrics\n", + "fields": [ + { + "description": "The period the server is up (sec)\n", + "format": "duration", + "name": "uptime", + "type": "long" + }, + { + "description": "The current memory usage of NATS process\n", + "format": "bytes", + "name": "mem.bytes", + "type": "long" + }, + { + "description": "The number of logical cores the NATS process runs on\n", + "name": "cores", + "type": "integer" + }, + { + "description": "The current cpu usage of NATs process\n", + "format": "percent", + "name": "cpu", + "type": "scaled_float" + }, + { + "description": "The number of totally created clients\n", + "name": "total_connections", + "type": "long" + }, + { + "description": "The number of registered remotes\n", + "name": "remotes", + "type": "integer" + }, + { + "description": "The amount of incoming data\n", + "fields": [ + { + "description": "The amount of incoming messages\n", + "name": "messages", + "type": "long" + }, + { + "description": "The amount of incoming bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "in", + "type": "group" + }, + { + "description": "The amount of outgoing data\n", + "fields": [ + { + "description": "The amount of outgoing messages\n", + "name": "messages", + "type": "long" + }, + { + "description": "The amount of outgoing bytes\n", + "format": "bytes", + "name": "bytes", + "type": "long" + } + ], + "name": "out", + "type": "group" + }, + { + "description": "The number of slow consumers currently on NATS\n", + "name": "slow_consumers", + "type": "long" + }, + { + "description": "The http metrics of NATS server\n", + "fields": [ + { + "description": "The requests statistics\n", + "fields": [ + { + "description": "The request distribution on monitoring URIS\n", + "fields": [ + { + "description": "The number of hits on routez monitoring uri\n", + "name": "routez", + "type": "long" + }, + { + "description": "The number of hits on connz monitoring uri\n", + "name": "connz", + "type": "long" + }, + { + "description": "The number of hits on varz monitoring uri\n", + "name": "varz", + "type": "long" + }, + { + "description": "The number of hits on subsz monitoring uri\n", + "name": "subsz", + "type": "long" + }, + { + "description": "The number of hits on root monitoring uri\n", + "name": "root", + "type": "long" + } + ], + "name": "uri", + "type": "group" + } + ], + "name": "req_stats", + "type": "group" + } + ], + "name": "http", + "type": "group" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "subscriptions": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains nats subscriptions related metrics\n", + "fields": [ + { + "description": "The number of active subscriptions\n", + "name": "total", + "type": "integer" + }, + { + "description": "The number of insert operations in subscriptions list\n", + "name": "inserts", + "type": "long" + }, + { + "description": "The number of remove operations in subscriptions list\n", + "name": "removes", + "type": "long" + }, + { + "description": "The number of times a match is found for a subscription\n", + "name": "matches", + "type": "long" + }, + { + "description": "The number of result sets in the cache\n", + "name": "cache.size", + "type": "integer" + }, + { + "description": "The rate matches are being retrieved from cache\n", + "format": "percent", + "name": "cache.hit_rate", + "type": "scaled_float" + }, + { + "description": "The maximum fanout served by cache\n", + "name": "cache.fanout.max", + "type": "integer" + }, + { + "description": "The average fanout served by cache\n", + "name": "cache.fanout.avg", + "type": "double" + } + ], + "name": "subscriptions", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "nginx": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "http://127.0.0.1" + ], + "module": "nginx", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Nginx server status metrics collected from various modules.\n", + "fields": [ + { + "description": "`nginx` contains the metrics that were scraped from nginx.\n", + "fields": null, + "name": "nginx", + "type": "group" + } + ], + "key": "nginx", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "Nginx" + } + ] + } + }, + "stubstatus": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page.\n", + "fields": [ + { + "description": "Nginx hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "The current number of active client connections including Waiting connections.\n", + "name": "active", + "type": "long" + }, + { + "description": "The total number of accepted client connections.\n", + "name": "accepts", + "type": "long" + }, + { + "description": "The total number of handled client connections.\n", + "name": "handled", + "type": "long" + }, + { + "description": "The total number of dropped client connections.\n", + "name": "dropped", + "type": "long" + }, + { + "description": "The total number of client requests.\n", + "name": "requests", + "type": "long" + }, + { + "description": "The current number of client requests.\n", + "name": "current", + "type": "long" + }, + { + "description": "The current number of connections where Nginx is reading the request header.\n", + "name": "reading", + "type": "long" + }, + { + "description": "The current number of connections where Nginx is writing the response back to the client.\n", + "name": "writing", + "type": "long" + }, + { + "description": "The current number of idle client connections waiting for a request.\n", + "name": "waiting", + "type": "long" + } + ], + "name": "stubstatus", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "openmetrics": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9090" + ], + "metrics_filters": { + "exclude": [], + "include": [] + }, + "metrics_path": "/metrics", + "metricsets": [ + "collector" + ], + "module": "openmetrics", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Openmetrics module\n", + "fields": [ + { + "description": "`openmetrics` contains metrics from endpoints that are following Openmetrics format.\n", + "fields": [ + { + "description": "Prometheus metric labels\n", + "name": "labels.*", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Prometheus metric\n", + "name": "metrics.*", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "openmetrics", + "type": "group" + } + ], + "key": "openmetrics", + "release": "beta", + "settings": [ + "http", + "ssl" + ], + "title": "Openmetrics" + } + ] + } + }, + "collector": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "beta" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "openmetrics.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + } + } + }, + "oracle": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": true, + "hosts": [ + "user:pass@0.0.0.0:1521/ORCLPDB1.localdomain" + ], + "metricsets": [ + "tablespace", + "performance" + ], + "module": "oracle", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Oracle database module", + "fields": [ + { + "description": "Oracle module", + "fields": null, + "name": "oracle", + "type": "group" + } + ], + "key": "oracle", + "release": "ga", + "short_config": false, + "title": "Oracle" + } + ] + } + }, + "performance": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Performance related metrics on a single database instance", + "fields": [ + { + "description": "Operating system machine name", + "name": "machine", + "type": "keyword" + }, + { + "description": "Name of the buffer pool in the instance", + "name": "buffer_pool", + "type": "keyword" + }, + { + "description": "Oracle username", + "name": "username", + "type": "keyword" + }, + { + "description": "Reloads / Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace", + "name": "io_reloads", + "type": "double" + }, + { + "description": "Average of the ratio between 'gethits' and 'gets' being 'Gethits' the number of times an object's handle was found in memory and 'gets' the number of times a lock was requested for objects of this namespace.", + "name": "lock_requests", + "type": "long" + }, + { + "description": "Average of all pinhits/pins ratios being 'PinHits' the number of times all of the metadata pieces of the library object were found in memory and 'pins' the number of times a PIN was requested for objects of this namespace", + "name": "pin_requests", + "type": "double" + }, + { + "description": "Statistics about all buffer pools available for the instance", + "fields": [ + { + "description": "The cache hit ratio of the specified buffer pool.", + "name": "buffer.hit.pct", + "type": "double" + }, + { + "description": "Physical reads", + "name": "physical_reads", + "type": "long" + }, + { + "description": "Buffer pool 'get' statistics", + "fields": [ + { + "description": "Consistent gets statistic", + "name": "consistent", + "type": "long" + }, + { + "description": "Database blocks gotten", + "name": "db_blocks", + "type": "long" + } + ], + "name": "get", + "type": "group" + } + ], + "name": "cache", + "type": "group" + }, + { + "description": "Cursors information", + "fields": [ + { + "description": "Average cursors opened by username and machine", + "name": "avg", + "type": "double" + }, + { + "description": "Max cursors opened by username and machine", + "name": "max", + "type": "double" + }, + { + "description": "Total opened cursors by username and machine", + "name": "total", + "type": "double" + }, + { + "description": "Opened cursors statistic", + "fields": [ + { + "description": "Total number of current open cursors", + "name": "current", + "type": "long" + }, + { + "description": "Total number of cursors opened since the instance started", + "name": "total", + "type": "long" + } + ], + "name": "opened", + "type": "group" + }, + { + "description": "Parses statistic information that occured in the current session", + "fields": [ + { + "description": "Real number of parses that occurred: session cursor cache hits - parse count (total)", + "name": "real", + "type": "long" + }, + { + "description": "Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed.", + "name": "total", + "type": "long" + } + ], + "name": "parse", + "type": "group" + }, + { + "description": "Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed.", + "name": "session.cache_hits", + "type": "long" + }, + { + "description": "Ratio of session cursor cache hits from total number of cursors", + "name": "cache_hit.pct", + "type": "double" + } + ], + "name": "cursors", + "type": "group" + } + ], + "name": "performance", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "tablespace": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "tablespace", + "fields": [ + { + "description": "Tablespace name", + "name": "name", + "type": "keyword" + }, + { + "description": "Database files information", + "fields": [ + { + "description": "Tablespace unique identifier", + "name": "id", + "type": "long" + }, + { + "description": "Filename of the data file", + "name": "name", + "type": "keyword" + }, + { + "description": "Size information about the file", + "fields": [ + { + "description": "Maximum file size in bytes", + "format": "bytes", + "name": "max.bytes", + "type": "long" + }, + { + "description": "Size of the file in bytes", + "format": "bytes", + "name": "bytes", + "type": "long" + }, + { + "description": "The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata.\n", + "format": "bytes", + "name": "free.bytes", + "type": "long" + } + ], + "name": "size", + "type": "group" + }, + { + "description": "'File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)'\n", + "name": "status", + "type": "keyword" + }, + { + "description": "Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER.", + "name": "online_status", + "type": "keyword" + } + ], + "name": "data_file", + "type": "group" + }, + { + "description": "Tablespace space usage information", + "fields": [ + { + "description": "Tablespace total free space available, in bytes.", + "format": "bytes", + "name": "free.bytes", + "type": "long" + }, + { + "description": "Tablespace used space, in bytes.", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Tablespace total size, in bytes.", + "format": "bytes", + "name": "total.bytes", + "type": "long" + } + ], + "name": "space", + "type": "group" + } + ], + "name": "tablespace", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "php_fpm": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8080" + ], + "module": "php_fpm", + "period": "10s", + "status_path": "/status" + } + ], + "fields.yml": [ + { + "description": "PHP-FPM server status metrics collected from PHP-FPM.\n", + "fields": [ + { + "description": "`php_fpm` contains the metrics that were obtained from PHP-FPM status page call.\n", + "fields": [ + { + "description": "`pool` contains the metrics that were obtained from the PHP-FPM process pool.\n", + "fields": [ + { + "description": "The name of the pool.\n", + "name": "name", + "type": "keyword" + } + ], + "name": "pool", + "type": "group" + } + ], + "name": "php_fpm", + "type": "group" + } + ], + "key": "php_fpm", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "short_config": false, + "title": "PHP_FPM" + } + ] + } + }, + "pool": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`pool` contains the metrics that were obtained from the PHP-FPM process pool.\n", + "fields": [ + { + "description": "Static, dynamic or ondemand.\n", + "name": "process_manager", + "type": "keyword" + }, + { + "description": "Connection state specific statistics.\n", + "fields": [ + { + "description": "The number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue.\n", + "name": "accepted", + "type": "long" + }, + { + "description": "The current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising `pm.max_children` (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets.\n", + "name": "queued", + "type": "long" + }, + { + "description": "The maximum number of requests in the queue of pending connections since FPM has started.\n", + "name": "max_listen_queue", + "type": "long" + }, + { + "description": "The size of the socket queue of pending connections.\n", + "name": "listen_queue_len", + "type": "long" + } + ], + "name": "connections", + "type": "group" + }, + { + "description": "Process state specific statistics.\n", + "fields": [ + { + "description": "The number of servers in the `waiting to process` state (i.e. not currently serving a page). This value should fall between the `pm.min_spare_servers` and `pm.max_spare_servers` values when the process manager is `dynamic`.\n", + "name": "idle", + "type": "long" + }, + { + "description": "The number of servers current processing a page - the minimum is `1` (so even on a fully idle server, the result will be not read `0`).\n", + "name": "active", + "type": "long" + }, + { + "description": "The number of idle + active processes.\n", + "name": "total", + "type": "long" + }, + { + "description": "The maximum number of active processes since FPM has started.\n", + "name": "max_active", + "type": "long" + }, + { + "description": "Number of times, the process limit has been reached, when pm tries to start more children (works only for pm 'dynamic' and 'ondemand').\n", + "name": "max_children_reached", + "type": "long" + } + ], + "name": "processes", + "type": "group" + }, + { + "description": "The number of times a request execution time has exceeded `request_slowlog_timeout`.\n", + "name": "slow_requests", + "type": "long" + }, + { + "description": "Number of seconds since FPM has started.\n", + "name": "start_since", + "type": "long" + }, + { + "description": "The date and time FPM has started.\n", + "name": "start_time", + "type": "date" + } + ], + "name": "pool", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/status?json=" + } + } + } + } + } + } + }, + "process": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "process contains the metrics that were obtained from the PHP-FPM process.\n", + "fields": [ + { + "description": "The PID of the process\n", + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "description": "The state of the process (Idle, Running, etc)\n", + "name": "state", + "type": "keyword" + }, + { + "description": "The date and time the process has started\n", + "name": "start_time", + "type": "date" + }, + { + "description": "The number of seconds since the process has started\n", + "name": "start_since", + "type": "integer" + }, + { + "description": "The number of requests the process has served\n", + "name": "requests", + "type": "integer" + }, + { + "description": "The duration in microseconds (1 million in a second) of the current request (my own definition)\n", + "name": "request_duration", + "type": "integer" + }, + { + "description": "The request method (GET, POST, etc) (of the current request)\n", + "migration": true, + "name": "request_method", + "path": "http.request.method", + "type": "alias" + }, + { + "description": "The request URI with the query string (of the current request)\n", + "migration": true, + "name": "request_uri", + "path": "url.original", + "type": "alias" + }, + { + "description": "The content length of the request (only with POST) (of the current request)\n", + "migration": true, + "name": "content_length", + "path": "http.response.body.bytes", + "type": "alias" + }, + { + "description": "The user (PHP_AUTH_USER) (or - if not set) (for the current request)\n", + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "description": "The main script called (or - if not set) (for the current request)\n", + "name": "script", + "type": "keyword" + }, + { + "description": "The max amount of memory the last request consumed (it is always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated)\n", + "name": "last_request_cpu", + "type": "long" + }, + { + "description": "The content length of the request (only with POST) (of the current request)\n", + "name": "last_request_memory", + "type": "integer" + } + ], + "name": "process", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/status?full=&json=" + } + } + } + } + } + } + } + } + }, + "postgresql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "postgres://localhost:5432" + ], + "module": "postgresql", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Metrics collected from PostgreSQL servers.\n", + "fields": [ + { + "description": "PostgreSQL metrics.\n", + "fields": null, + "name": "postgresql", + "type": "group" + } + ], + "key": "postgresql", + "release": "ga", + "short_config": false, + "title": "PostgreSQL" + } + ] + } + }, + "activity": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity.\n", + "fields": [ + { + "description": "OID of the database this backend is connected to.\n", + "name": "database.oid", + "type": "long" + }, + { + "description": "Name of the database this backend is connected to.\n", + "name": "database.name", + "type": "keyword" + }, + { + "description": "Process ID of this backend.\n", + "name": "pid", + "type": "long" + }, + { + "description": "OID of the user logged into this backend.\n", + "name": "user.id", + "type": "long" + }, + { + "description": "Name of the user logged into this backend.\n", + "name": "user.name" + }, + { + "description": "Name of the application that is connected to this backend.\n", + "name": "application_name" + }, + { + "description": "IP address of the client connected to this backend.\n", + "name": "client.address" + }, + { + "description": "Host name of the connected client, as reported by a reverse DNS lookup of client_addr.\n", + "name": "client.hostname" + }, + { + "description": "TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used.\n", + "name": "client.port", + "type": "long" + }, + { + "description": "Time when this process was started, i.e., when the client connected to the server.\n", + "name": "backend_start", + "type": "date" + }, + { + "description": "Time when this process' current transaction was started.\n", + "name": "transaction_start", + "type": "date" + }, + { + "description": "Time when the currently active query was started, or if state is not active, when the last query was started.\n", + "name": "query_start", + "type": "date" + }, + { + "description": "Time when the state was last changed.\n", + "name": "state_change", + "type": "date" + }, + { + "description": "True if this backend is currently waiting on a lock.\n", + "name": "waiting", + "type": "boolean" + }, + { + "description": "Current overall state of this backend. Possible values are:\n\n * active: The backend is executing a query.\n * idle: The backend is waiting for a new client command.\n * idle in transaction: The backend is in a transaction, but is not\n currently executing a query.\n * idle in transaction (aborted): This state is similar to idle in\n transaction, except one of the statements in the transaction caused\n an error.\n * fastpath function call: The backend is executing a fast-path function.\n * disabled: This state is reported if track_activities is disabled in this backend.\n", + "name": "state" + }, + { + "description": "Text of this backend's most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed.\n", + "name": "query" + } + ], + "name": "activity", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "bgwriter": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Statistics about the background writer process's activity. Collected using the pg_stat_bgwriter query.\n", + "fields": [ + { + "description": "Number of scheduled checkpoints that have been performed.\n", + "name": "checkpoints.scheduled", + "type": "long" + }, + { + "description": "Number of requested checkpoints that have been performed.\n", + "name": "checkpoints.requested", + "type": "long" + }, + { + "description": "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds.\n", + "name": "checkpoints.times.write.ms", + "type": "float" + }, + { + "description": "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds.\n", + "name": "checkpoints.times.sync.ms", + "type": "float" + }, + { + "description": "Number of buffers written during checkpoints.\n", + "name": "buffers.checkpoints", + "type": "long" + }, + { + "description": "Number of buffers written by the background writer.\n", + "name": "buffers.clean", + "type": "long" + }, + { + "description": "Number of times the background writer stopped a cleaning scan because it had written too many buffers.\n", + "name": "buffers.clean_full", + "type": "long" + }, + { + "description": "Number of buffers written directly by a backend.\n", + "name": "buffers.backend", + "type": "long" + }, + { + "description": "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)\n", + "name": "buffers.backend_fsync", + "type": "long" + }, + { + "description": "Number of buffers allocated.\n", + "name": "buffers.allocated", + "type": "long" + }, + { + "description": "Time at which these statistics were last reset.\n", + "name": "stats_reset", + "type": "date" + } + ], + "name": "bgwriter", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "database": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "One row per database, showing database-wide statistics. Collected by querying pg_stat_database\n", + "fields": [ + { + "description": "OID of the database this backend is connected to.\n", + "name": "oid", + "type": "long" + }, + { + "description": "Name of the database this backend is connected to.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Number of backends currently connected to this database.\n", + "name": "number_of_backends", + "type": "long" + }, + { + "description": "Number of transactions in this database that have been committed.\n", + "name": "transactions.commit", + "type": "long" + }, + { + "description": "Number of transactions in this database that have been rolled back.\n", + "name": "transactions.rollback", + "type": "long" + }, + { + "description": "Number of disk blocks read in this database.\n", + "name": "blocks.read", + "type": "long" + }, + { + "description": "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache).\n", + "name": "blocks.hit", + "type": "long" + }, + { + "description": "Time spent reading data file blocks by backends in this database, in milliseconds.\n", + "name": "blocks.time.read.ms", + "type": "long" + }, + { + "description": "Time spent writing data file blocks by backends in this database, in milliseconds.\n", + "name": "blocks.time.write.ms", + "type": "long" + }, + { + "description": "Number of rows returned by queries in this database.\n", + "name": "rows.returned", + "type": "long" + }, + { + "description": "Number of rows fetched by queries in this database.\n", + "name": "rows.fetched", + "type": "long" + }, + { + "description": "Number of rows inserted by queries in this database.\n", + "name": "rows.inserted", + "type": "long" + }, + { + "description": "Number of rows updated by queries in this database.\n", + "name": "rows.updated", + "type": "long" + }, + { + "description": "Number of rows deleted by queries in this database.\n", + "name": "rows.deleted", + "type": "long" + }, + { + "description": "Number of queries canceled due to conflicts with recovery in this database.\n", + "name": "conflicts", + "type": "long" + }, + { + "description": "Number of temporary files created by queries in this database. All temporary files are counted, regardless of why the temporary file was created (e.g., sorting or hashing), and regardless of the log_temp_files setting.\n", + "name": "temporary.files", + "type": "long" + }, + { + "description": "Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting.\n", + "name": "temporary.bytes", + "type": "long" + }, + { + "description": "Number of deadlocks detected in this database.\n", + "name": "deadlocks", + "type": "long" + }, + { + "description": "Time at which these statistics were last reset.\n", + "name": "stats_reset", + "type": "date" + } + ], + "name": "database", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "statement": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "One document per query per user per database, showing information related invocation of that query, such as cpu usage and total time. Collected by querying pg_stat_statements.\n", + "fields": [ + { + "description": "OID of the user logged into the backend that ran the query.\n", + "name": "user.id", + "type": "long" + }, + { + "description": "OID of the database the query was run on.\n", + "name": "database.oid", + "type": "long" + }, + { + "description": "ID of the statement.\n", + "name": "query.id", + "type": "long" + }, + { + "description": "Query text\n", + "name": "query.text" + }, + { + "description": "Number of times the query has been run.\n", + "name": "query.calls", + "type": "long" + }, + { + "description": "Total number of rows returned by query.\n", + "name": "query.rows", + "type": "long" + }, + { + "description": "Total number of milliseconds spent running query.\n", + "name": "query.time.total.ms", + "type": "float" + }, + { + "description": "Minimum number of milliseconds spent running query.\n", + "name": "query.time.min.ms", + "type": "float" + }, + { + "description": "Maximum number of milliseconds spent running query.\n", + "name": "query.time.max.ms", + "type": "float" + }, + { + "description": "Mean number of milliseconds spent running query.\n", + "name": "query.time.mean.ms", + "type": "long" + }, + { + "description": "Population standard deviation of time spent running query, in milliseconds.\n", + "name": "query.time.stddev.ms", + "type": "long" + }, + { + "description": "Total number of shared block cache hits by the query.\n", + "name": "query.memory.shared.hit", + "type": "long" + }, + { + "description": "Total number of shared block cache read by the query.\n", + "name": "query.memory.shared.read", + "type": "long" + }, + { + "description": "Total number of shared block cache dirtied by the query.\n", + "name": "query.memory.shared.dirtied", + "type": "long" + }, + { + "description": "Total number of shared block cache written by the query.\n", + "name": "query.memory.shared.written", + "type": "long" + }, + { + "description": "Total number of local block cache hits by the query.\n", + "name": "query.memory.local.hit", + "type": "long" + }, + { + "description": "Total number of local block cache read by the query.\n", + "name": "query.memory.local.read", + "type": "long" + }, + { + "description": "Total number of local block cache dirtied by the query.\n", + "name": "query.memory.local.dirtied", + "type": "long" + }, + { + "description": "Total number of local block cache written by the query.\n", + "name": "query.memory.local.written", + "type": "long" + }, + { + "description": "Total number of temp block cache read by the query.\n", + "name": "query.memory.temp.read", + "type": "long" + }, + { + "description": "Total number of temp block cache written by the query.\n", + "name": "query.memory.temp.written", + "type": "long" + } + ], + "name": "statement", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "prometheus": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:9090" + ], + "metrics_path": "/metrics", + "module": "prometheus", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Stats scraped from a Prometheus endpoint.\n", + "fields": [ + { + "description": "Prometheus gauge metric\n", + "name": "prometheus.*.value", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Prometheus counter metric\n", + "name": "prometheus.*.counter", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Prometheus rated counter metric\n", + "name": "prometheus.*.rate", + "object_type": "double", + "object_type_mapping_type": "*", + "type": "object" + }, + { + "description": "Prometheus histogram metric\n", + "name": "prometheus.*.histogram", + "object_type": "histogram", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "key": "prometheus-xpack", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "title": "Prometheus typed metrics" + } + ] + } + }, + "collector": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "ga" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "module": { + "rate_counters": true, + "use_types": true + }, + "remove_fields_from_comparison": [ + "prometheus.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/metrics" + } + } + } + } + } + } + }, + "query": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "query metricset\n", + "fields": null, + "name": "query", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "remote_write": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "remote write metrics from Prometheus server\n", + "fields": null, + "name": "remote_write", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "rabbitmq": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:15672" + ], + "module": "rabbitmq", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "RabbitMQ module\n", + "fields": [ + { + "description": "", + "fields": [ + { + "description": "Virtual host name with non-ASCII characters escaped as in C.\n", + "name": "vhost", + "type": "keyword" + } + ], + "name": "rabbitmq", + "type": "group" + } + ], + "key": "rabbitmq", + "release": "ga", + "settings": [ + "ssl", + "http" + ], + "title": "RabbitMQ" + } + ] + } + }, + "connection": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "connection\n", + "fields": [ + { + "description": "The name of the connection with non-ASCII characters escaped as in C.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Virtual host name with non-ASCII characters escaped as in C.\n", + "migration": true, + "name": "vhost", + "path": "rabbitmq.vhost", + "type": "alias" + }, + { + "description": "User name.\n", + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "description": "Node name.\n", + "migration": true, + "name": "node", + "path": "rabbitmq.node.name", + "type": "alias" + }, + { + "description": "The number of channels on the connection.\n", + "name": "channels", + "type": "long" + }, + { + "description": "The maximum number of channels allowed on the connection.\n", + "name": "channel_max", + "type": "long" + }, + { + "description": "Maximum permissible size of a frame (in bytes) to negotiate with clients.\n", + "format": "bytes", + "name": "frame_max", + "type": "long" + }, + { + "description": "Type of the connection.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Server hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was disabled.\n", + "name": "host", + "type": "keyword" + }, + { + "description": "Peer hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was not enabled.\n", + "name": "peer.host", + "type": "keyword" + }, + { + "description": "Server port.\n", + "name": "port", + "type": "long" + }, + { + "description": "Peer port.\n", + "name": "peer.port", + "type": "long" + }, + { + "description": "Number of packets sent on the connection.\n", + "name": "packet_count.sent", + "type": "long" + }, + { + "description": "Number of packets received on the connection.\n", + "name": "packet_count.received", + "type": "long" + }, + { + "description": "Number of packets pending on the connection.\n", + "name": "packet_count.pending", + "type": "long" + }, + { + "description": "Number of octets sent on the connection.\n", + "name": "octet_count.sent", + "type": "long" + }, + { + "description": "Number of octets received on the connection.\n", + "name": "octet_count.received", + "type": "long" + }, + { + "description": "User specified connection name.\n", + "name": "client_provided.name", + "type": "keyword" + } + ], + "name": "connection", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "url": "/api/connections" + } + } + } + } + } + } + }, + "exchange": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "exchange\n", + "fields": [ + { + "description": "The name of the queue with non-ASCII characters escaped as in C.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Virtual host name with non-ASCII characters escaped as in C.\n", + "migration": true, + "name": "vhost", + "path": "rabbitmq.vhost", + "type": "alias" + }, + { + "description": "Whether or not the queue survives server restarts.\n", + "name": "durable", + "type": "boolean" + }, + { + "description": "Whether the queue will be deleted automatically when no longer used.\n", + "name": "auto_delete", + "type": "boolean" + }, + { + "description": "Whether the exchange is internal, i.e. cannot be directly published to by a client.\n", + "name": "internal", + "type": "boolean" + }, + { + "description": "User who created the exchange.\n", + "migration": true, + "name": "user", + "path": "user.name", + "type": "alias" + }, + { + "description": "Count of messages published \"in\" to an exchange, i.e. not taking account of routing.\n", + "name": "messages.publish_in.count", + "type": "long" + }, + { + "description": "How much the exchange publish-in count has changed per second in the most recent sampling interval.\n", + "name": "messages.publish_in.details.rate", + "type": "float" + }, + { + "description": "Count of messages published \"out\" of an exchange, i.e. taking account of routing.\n", + "name": "messages.publish_out.count", + "type": "long" + }, + { + "description": "How much the exchange publish-out count has changed per second in the most recent sampling interval.\n", + "name": "messages.publish_out.details.rate", + "type": "float" + } + ], + "name": "exchange", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "node\n", + "fields": [ + { + "description": "Disk free space in bytes.\n", + "format": "bytes", + "name": "disk.free.bytes", + "type": "long" + }, + { + "description": "Point at which the disk alarm will go off.\n", + "format": "bytes", + "name": "disk.free.limit.bytes", + "type": "long" + }, + { + "description": "File descriptors available.\n", + "name": "fd.total", + "type": "long" + }, + { + "description": "Used file descriptors.\n", + "name": "fd.used", + "type": "long" + }, + { + "description": "Number of GC operations.\n", + "name": "gc.num.count", + "type": "long" + }, + { + "description": "GC bytes reclaimed.\n", + "format": "bytes", + "name": "gc.reclaimed.bytes", + "type": "long" + }, + { + "description": "File handle open avg time\n", + "name": "io.file_handle.open_attempt.avg.ms", + "type": "long" + }, + { + "description": "File handle open attempts\n", + "name": "io.file_handle.open_attempt.count", + "type": "long" + }, + { + "description": "File handle read avg time\n", + "name": "io.read.avg.ms", + "type": "long" + }, + { + "description": "Data read in bytes\n", + "format": "bytes", + "name": "io.read.bytes", + "type": "long" + }, + { + "description": "Data read operations\n", + "name": "io.read.count", + "type": "long" + }, + { + "description": "Data reopen operations\n", + "name": "io.reopen.count", + "type": "long" + }, + { + "description": "Data seek avg time\n", + "name": "io.seek.avg.ms", + "type": "long" + }, + { + "description": "Data seek operations\n", + "name": "io.seek.count", + "type": "long" + }, + { + "description": "Data sync avg time\n", + "name": "io.sync.avg.ms", + "type": "long" + }, + { + "description": "Data sync operations\n", + "name": "io.sync.count", + "type": "long" + }, + { + "description": "Data write avg time\n", + "name": "io.write.avg.ms", + "type": "long" + }, + { + "description": "Data write in bytes\n", + "format": "bytes", + "name": "io.write.bytes", + "type": "long" + }, + { + "description": "Data write operations\n", + "name": "io.write.count", + "type": "long" + }, + { + "description": "Point at which the memory alarm will go off.\n", + "format": "bytes", + "name": "mem.limit.bytes", + "type": "long" + }, + { + "description": "Memory used in bytes.\n", + "name": "mem.used.bytes", + "type": "long" + }, + { + "description": "Number of Mnesia transactions which have been performed that required writes to disk.\n", + "name": "mnesia.disk.tx.count", + "type": "long" + }, + { + "description": "Number of Mnesia transactions which have been performed that did not require writes to disk.\n", + "name": "mnesia.ram.tx.count", + "type": "long" + }, + { + "description": "Number of messages which have been read from the message store.\n", + "name": "msg.store_read.count", + "type": "long" + }, + { + "description": "Number of messages which have been written to the message store.\n", + "name": "msg.store_write.count", + "type": "long" + }, + { + "description": "Node name", + "name": "name", + "type": "keyword" + }, + { + "description": "Maximum number of Erlang processes.\n", + "name": "proc.total", + "type": "long" + }, + { + "description": "Number of Erlang processes in use.\n", + "name": "proc.used", + "type": "long" + }, + { + "description": "Number of cores detected and usable by Erlang.\n", + "name": "processors", + "type": "long" + }, + { + "description": "Number of records written to the queue index journal.\n", + "name": "queue.index.journal_write.count", + "type": "long" + }, + { + "description": "Number of records read from the queue index.\n", + "name": "queue.index.read.count", + "type": "long" + }, + { + "description": "Number of records written to the queue index.\n", + "name": "queue.index.write.count", + "type": "long" + }, + { + "description": "Average number of Erlang processes waiting to run.\n", + "name": "run.queue", + "type": "long" + }, + { + "description": "File descriptors available for use as sockets.\n", + "name": "socket.total", + "type": "long" + }, + { + "description": "File descriptors used as sockets.\n", + "name": "socket.used", + "type": "long" + }, + { + "description": "Node type.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Node uptime.\n", + "name": "uptime", + "type": "long" + } + ], + "name": "node", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "queue": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "queue\n", + "fields": [ + { + "description": "The name of the queue with non-ASCII characters escaped as in C.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Virtual host name with non-ASCII characters escaped as in C.\n", + "migration": true, + "name": "vhost", + "path": "rabbitmq.vhost", + "type": "alias" + }, + { + "description": "Whether or not the queue survives server restarts.\n", + "name": "durable", + "type": "boolean" + }, + { + "description": "Whether the queue will be deleted automatically when no longer used.\n", + "name": "auto_delete", + "type": "boolean" + }, + { + "description": "Whether the queue is exclusive (i.e. has owner_pid).\n", + "name": "exclusive", + "type": "boolean" + }, + { + "description": "Node name.\n", + "migration": true, + "name": "node", + "path": "rabbitmq.node.name", + "type": "alias" + }, + { + "description": "The state of the queue. Normally 'running', but may be \"{syncing, MsgCount}\" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of 'down'.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "Maximum number of priority levels for the queue to support.\n", + "name": "arguments.max_priority", + "type": "long" + }, + { + "description": "Number of consumers.\n", + "name": "consumers.count", + "type": "long" + }, + { + "description": "Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count.\n", + "format": "percent", + "name": "consumers.utilisation.pct", + "type": "long" + }, + { + "description": "Sum of ready and unacknowledged messages (queue depth).\n", + "name": "messages.total.count", + "type": "long" + }, + { + "description": "How much the queue depth has changed per second in the most recent sampling interval.\n", + "name": "messages.total.details.rate", + "type": "float" + }, + { + "description": "Number of messages ready to be delivered to clients.\n", + "name": "messages.ready.count", + "type": "long" + }, + { + "description": "How much the count of messages ready has changed per second in the most recent sampling interval.\n", + "name": "messages.ready.details.rate", + "type": "float" + }, + { + "description": "Number of messages delivered to clients but not yet acknowledged.\n", + "name": "messages.unacknowledged.count", + "type": "long" + }, + { + "description": "How much the count of unacknowledged messages has changed per second in the most recent sampling interval.\n", + "name": "messages.unacknowledged.details.rate", + "type": "float" + }, + { + "description": "Total number of persistent messages in the queue (will always be 0 for transient queues).\n", + "name": "messages.persistent.count", + "type": "long" + }, + { + "description": "Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures.\n", + "format": "bytes", + "name": "memory.bytes", + "type": "long" + }, + { + "description": "Total number of times messages have been read from disk by this queue since it started.\n", + "name": "disk.reads.count", + "type": "long" + }, + { + "description": "Total number of times messages have been written to disk by this queue since it started.\n", + "name": "disk.writes.count", + "type": "long" + } + ], + "name": "queue", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "redis": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "127.0.0.1:6379" + ], + "module": "redis", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Redis metrics collected from Redis.\n", + "fields": [ + { + "description": "`redis` contains the information and statistics from Redis.\n", + "fields": null, + "name": "redis", + "type": "group" + } + ], + "key": "redis", + "release": "ga", + "title": "Redis" + } + ] + } + }, + "info": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`info` contains the information and statistics returned by the `INFO` command.\n", + "fields": [ + { + "description": "Redis client stats.\n", + "fields": [ + { + "description": "Number of client connections (excluding connections from slaves).\n", + "name": "connected", + "type": "long" + }, + { + "deprecated": "6.5.0", + "description": "Longest output list among current client connections (replaced by max_output_buffer).\n", + "name": "longest_output_list", + "type": "long" + }, + { + "description": "Longest output list among current client connections.\n", + "name": "max_output_buffer", + "type": "long" + }, + { + "deprecated": "6.5.0", + "description": "Biggest input buffer among current client connections (replaced by max_input_buffer).\n", + "name": "biggest_input_buf", + "type": "long" + }, + { + "description": "Biggest input buffer among current client connections (on redis 5.0).\n", + "name": "max_input_buffer", + "type": "long" + }, + { + "description": "Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH).\n", + "name": "blocked", + "type": "long" + } + ], + "name": "clients", + "type": "group" + }, + { + "description": "Redis cluster information.\n", + "fields": [ + { + "description": "Indicates that the Redis cluster is enabled.\n", + "name": "enabled", + "type": "boolean" + } + ], + "name": "cluster", + "type": "group" + }, + { + "description": "Redis CPU stats\n", + "fields": [ + { + "description": "System CPU consumed by the Redis server.\n", + "name": "used.sys", + "type": "scaled_float" + }, + { + "description": "User CPU consumed by the Redis server.\n", + "name": "used.sys_children", + "type": "scaled_float" + }, + { + "description": "System CPU consumed by the background processes.\n", + "name": "used.user", + "type": "scaled_float" + }, + { + "description": "User CPU consumed by the background processes.\n", + "name": "used.user_children", + "type": "scaled_float" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "Redis memory stats.\n", + "fields": [ + { + "description": "Total number of bytes allocated by Redis.\n", + "format": "bytes", + "name": "used.value", + "type": "long" + }, + { + "description": "Number of bytes that Redis allocated as seen by the operating system (a.k.a resident set size).\n", + "format": "bytes", + "name": "used.rss", + "type": "long" + }, + { + "description": "Peak memory consumed by Redis.\n", + "format": "bytes", + "name": "used.peak", + "type": "long" + }, + { + "description": "Used memory by the Lua engine. \n", + "format": "bytes", + "name": "used.lua", + "type": "long" + }, + { + "description": "The size in bytes of the dataset \n", + "format": "bytes", + "name": "used.dataset", + "type": "long" + }, + { + "description": "Memory limit.\n", + "format": "bytes", + "name": "max.value", + "type": "long" + }, + { + "description": "Eviction policy to use when memory limit is reached.\n", + "name": "max.policy", + "type": "keyword" + }, + { + "description": "Ratio between used_memory_rss and used_memory\n", + "name": "fragmentation.ratio", + "type": "float" + }, + { + "description": "Bytes between used_memory_rss and used_memory\n", + "format": "bytes", + "name": "fragmentation.bytes", + "type": "long" + }, + { + "description": "Flag indicating if active defragmentation is active\n", + "name": "active_defrag.is_running", + "type": "boolean" + }, + { + "description": "Memory allocator.\n", + "name": "allocator", + "type": "keyword" + }, + { + "fields": [ + { + "description": "Allocated memory\n", + "format": "bytes", + "name": "allocated", + "type": "long" + }, + { + "description": "Active memeory\n", + "format": "bytes", + "name": "active", + "type": "long" + }, + { + "description": "Resident memory\n", + "format": "bytes", + "name": "resident", + "type": "long" + }, + { + "description": "Fragmentation ratio\n", + "name": "fragmentation.ratio", + "type": "float" + }, + { + "description": "Fragmented bytes\n", + "format": "bytes", + "name": "fragmentation.bytes", + "type": "long" + }, + { + "description": "Resident ratio\n", + "name": "rss.ratio", + "type": "float" + }, + { + "description": "Resident bytes\n", + "format": "bytes", + "name": "rss.bytes", + "type": "long" + } + ], + "name": "allocator_stats", + "type": "group" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Redis CPU stats.\n", + "fields": [ + { + "description": "Flag indicating if the load of a dump file is on-going\n", + "name": "loading", + "type": "boolean" + }, + { + "description": "Provides information about RDB persistence\n", + "fields": [ + { + "description": "Number of changes since the last dump\n", + "name": "last_save.changes_since", + "type": "long" + }, + { + "description": "Epoch-based timestamp of last successful RDB save\n", + "name": "last_save.time", + "type": "long" + }, + { + "description": "Flag indicating a RDB save is on-going\n", + "name": "bgsave.in_progress", + "type": "boolean" + }, + { + "description": "Status of the last RDB save operation\n", + "name": "bgsave.last_status", + "type": "keyword" + }, + { + "description": "Duration of the last RDB save operation in seconds\n", + "format": "duration", + "name": "bgsave.last_time.sec", + "type": "long" + }, + { + "description": "Duration of the on-going RDB save operation if any\n", + "format": "duration", + "name": "bgsave.current_time.sec", + "type": "long" + }, + { + "description": "The size in bytes of copy-on-write allocations during the last RBD save operation \n", + "format": "bytes", + "name": "copy_on_write.last_size", + "type": "long" + } + ], + "name": "rdb", + "type": "group" + }, + { + "description": "Provides information about AOF persitence\n", + "fields": [ + { + "description": "Flag indicating AOF logging is activated\n", + "name": "enabled", + "type": "boolean" + }, + { + "description": "Flag indicating a AOF rewrite operation is on-going\n", + "name": "rewrite.in_progress", + "type": "boolean" + }, + { + "description": "Flag indicating an AOF rewrite operation will be scheduled once the on-going RDB save is complete.\n", + "name": "rewrite.scheduled", + "type": "boolean" + }, + { + "description": "Duration of the last AOF rewrite operation in seconds\n", + "format": "duration", + "name": "rewrite.last_time.sec", + "type": "long" + }, + { + "description": "Duration of the on-going AOF rewrite operation if any\n", + "format": "duration", + "name": "rewrite.current_time.sec", + "type": "long" + }, + { + "description": "Size of the AOF rewrite buffer\n", + "format": "bytes", + "name": "rewrite.buffer.size", + "type": "long" + }, + { + "description": "Status of the last AOF rewrite operatio\n", + "name": "bgrewrite.last_status", + "type": "keyword" + }, + { + "description": "Status of the last write operation to the AOF\n", + "name": "write.last_status", + "type": "keyword" + }, + { + "description": "The size in bytes of copy-on-write allocations during the last RBD save operation\n", + "format": "bytes", + "name": "copy_on_write.last_size", + "type": "long" + }, + { + "description": "Size of the AOF buffer\n", + "format": "bytes", + "name": "buffer.size", + "type": "long" + }, + { + "description": "AOF current file size \n", + "format": "bytes", + "name": "size.current", + "type": "long" + }, + { + "description": "AOF file size on latest startup or rewrite\n", + "format": "bytes", + "name": "size.base", + "type": "long" + }, + { + "description": "Number of fsync pending jobs in background I/O queue\n", + "name": "fsync.pending", + "type": "long" + }, + { + "description": "Delayed fsync counter\n", + "name": "fsync.delayed", + "type": "long" + } + ], + "name": "aof", + "type": "group" + } + ], + "name": "persistence", + "type": "group" + }, + { + "description": "Replication\n", + "fields": [ + { + "description": "Role of the instance (can be \"master\", or \"slave\").\n", + "name": "role", + "type": "keyword" + }, + { + "description": "Number of connected slaves\n", + "name": "connected_slaves", + "type": "long" + }, + { + "deprecated": 6.5, + "description": "The server's current replication offset\n", + "name": "master_offset", + "type": "long" + }, + { + "description": "Flag indicating replication backlog is active\n", + "name": "backlog.active", + "type": "long" + }, + { + "description": "Total size in bytes of the replication backlog buffer\n", + "format": "bytes", + "name": "backlog.size", + "type": "long" + }, + { + "description": "The master offset of the replication backlog buffer \n", + "name": "backlog.first_byte_offset", + "type": "long" + }, + { + "description": "Size in bytes of the data in the replication backlog buffer\n", + "name": "backlog.histlen", + "type": "long" + }, + { + "description": "The server's current replication offset\n", + "name": "master.offset", + "type": "long" + }, + { + "description": "The offset up to which replication IDs are accepted\n", + "name": "master.second_offset", + "type": "long" + }, + { + "description": "Status of the link (up/down)\n", + "name": "master.link_status", + "type": "keyword" + }, + { + "description": "Number of seconds since the last interaction with master\n", + "format": "duration", + "name": "master.last_io_seconds_ago", + "type": "long" + }, + { + "description": "Indicate the master is syncing to the slave\n", + "name": "master.sync.in_progress", + "type": "boolean" + }, + { + "description": "Number of bytes left before syncing is complete\n", + "format": "bytes", + "name": "master.sync.left_bytes", + "type": "long" + }, + { + "description": "Number of seconds since last transfer I/O during a SYNC operation\n", + "format": "duration", + "name": "master.sync.last_io_seconds_ago", + "type": "long" + }, + { + "description": "The replication offset of the slave instance\n", + "name": "slave.offset", + "type": "long" + }, + { + "description": "The priority of the instance as a candidate for failover\n", + "name": "slave.priority", + "type": "long" + }, + { + "description": "Flag indicating if the slave is read-only\n", + "name": "slave.is_readonly", + "type": "boolean" + } + ], + "name": "replication", + "type": "group" + }, + { + "description": "Server info\n", + "fields": [ + { + "description": null, + "migration": true, + "name": "version", + "path": "service.version", + "type": "alias" + }, + { + "description": null, + "name": "git_sha1", + "type": "keyword" + }, + { + "description": null, + "name": "git_dirty", + "type": "keyword" + }, + { + "description": null, + "name": "build_id", + "type": "keyword" + }, + { + "description": null, + "name": "mode", + "type": "keyword" + }, + { + "description": null, + "migration": true, + "name": "os", + "path": "os.full", + "type": "alias" + }, + { + "description": null, + "name": "arch_bits", + "type": "keyword" + }, + { + "description": null, + "name": "multiplexing_api", + "type": "keyword" + }, + { + "description": null, + "name": "gcc_version", + "type": "keyword" + }, + { + "description": null, + "migration": true, + "name": "process_id", + "path": "process.pid", + "type": "alias" + }, + { + "description": null, + "name": "run_id", + "type": "keyword" + }, + { + "description": null, + "name": "tcp_port", + "type": "long" + }, + { + "description": null, + "name": "uptime", + "type": "long" + }, + { + "description": null, + "name": "hz", + "type": "long" + }, + { + "description": null, + "name": "lru_clock", + "type": "long" + }, + { + "description": null, + "name": "config_file", + "type": "keyword" + } + ], + "name": "server", + "type": "group" + }, + { + "description": "Redis stats.\n", + "fields": [ + { + "description": "Total number of connections received.", + "name": "connections.received", + "type": "long" + }, + { + "description": "Total number of connections rejected.", + "name": "connections.rejected", + "type": "long" + }, + { + "description": "Total number of commands processed.", + "name": "commands_processed", + "type": "long" + }, + { + "description": "Total network input in bytes.", + "name": "net.input.bytes", + "type": "long" + }, + { + "description": "Total network output in bytes.", + "name": "net.output.bytes", + "type": "long" + }, + { + "description": "Number of commands processed per second\n", + "name": "instantaneous.ops_per_sec", + "type": "long" + }, + { + "description": "The network's read rate per second in KB/sec\n", + "name": "instantaneous.input_kbps", + "type": "scaled_float" + }, + { + "description": "The network's write rate per second in KB/sec\n", + "name": "instantaneous.output_kbps", + "type": "scaled_float" + }, + { + "description": "The number of full resyncs with slaves\n", + "name": "sync.full", + "type": "long" + }, + { + "description": "The number of accepted partial resync requests\n", + "name": "sync.partial.ok", + "type": "long" + }, + { + "description": "The number of denied partial resync requests\n", + "name": "sync.partial.err", + "type": "long" + }, + { + "description": "Total number of key expiration events\n", + "name": "keys.expired", + "type": "long" + }, + { + "description": "Number of evicted keys due to maxmemory limit\n", + "name": "keys.evicted", + "type": "long" + }, + { + "description": "Number of successful lookup of keys in the main dictionary\n", + "name": "keyspace.hits", + "type": "long" + }, + { + "description": "Number of failed lookup of keys in the main dictionary\n", + "name": "keyspace.misses", + "type": "long" + }, + { + "description": "Global number of pub/sub channels with client subscriptions\n", + "name": "pubsub.channels", + "type": "long" + }, + { + "description": "Global number of pub/sub pattern with client subscriptions\n", + "name": "pubsub.patterns", + "type": "long" + }, + { + "description": "Duration of the latest fork operation in microseconds\n", + "name": "latest_fork_usec", + "type": "long" + }, + { + "description": "The number of sockets open for MIGRATE purposes\n", + "name": "migrate_cached_sockets", + "type": "long" + }, + { + "description": "The number of keys tracked for expiry purposes (applicable only to writable slaves)\n", + "name": "slave_expires_tracked_keys", + "type": "long" + }, + { + "description": "Number of value reallocations performed by active the defragmentation process\n", + "name": "active_defrag.hits", + "type": "long" + }, + { + "description": "Number of aborted value reallocations started by the active defragmentation process\n", + "name": "active_defrag.misses", + "type": "long" + }, + { + "description": "Number of keys that were actively defragmented\n", + "name": "active_defrag.key_hits", + "type": "long" + }, + { + "description": "Number of keys that were skipped by the active defragmentation process\n", + "name": "active_defrag.key_misses", + "type": "long" + } + ], + "name": "stats", + "type": "group" + }, + { + "description": "Count of slow operations\n", + "name": "slowlog.count", + "type": "long" + } + ], + "name": "info", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "key": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`key` contains information about keys.\n", + "fields": [ + { + "description": "Key name.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Unique id for this key (With the form :).\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Key type as shown by `TYPE` command.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Length of the key (Number of elements for lists, length for strings, cardinality for sets).\n", + "name": "length", + "type": "long" + }, + { + "description": "Seconds to expire.\n", + "name": "expire.ttl", + "type": "long" + } + ], + "name": "key", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "keyspace": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`keyspace` contains the information about the keyspaces returned by the `INFO` command.\n", + "fields": [ + { + "description": "Keyspace identifier.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "Average ttl.\n", + "name": "avg_ttl", + "type": "long" + }, + { + "description": "Number of keys in the keyspace.\n", + "name": "keys", + "type": "long" + }, + { + "description": "", + "name": "expires", + "type": "long" + } + ], + "name": "keyspace", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "redisenterprise": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "https://127.0.0.1:8070/" + ], + "metricsets": [ + "node", + "proxy" + ], + "module": "redisenterprise", + "period": "1m" + } + ], + "fields.yml": [ + { + "description": "Redis metrics collected from Redis Enterprise Server.\n", + "fields": [ + { + "description": "`redisenterprise` contains the information and statistics from Redis Enterprise Server.\n", + "fields": null, + "name": "redisenterprise", + "type": "group" + } + ], + "key": "redisenterprise", + "release": "beta", + "title": "Redis Enterprise" + } + ] + } + }, + "node": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": null, + "name": "node", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "prometheus.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/" + } + } + } + } + } + } + }, + "proxy": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "fields": null, + "name": "proxy", + "release": "beta", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "remove_fields_from_comparison": [ + "prometheus.labels.instance" + ], + "suffix": "plain", + "type": "http", + "url": "/" + } + } + } + } + } + } + } + } + }, + "sql": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "driver": "postgres", + "hosts": [ + "user=myuser password=mypassword dbname=mydb sslmode=disable" + ], + "metricsets": [ + "query" + ], + "module": "sql", + "period": "10s", + "sql_query": "select now()", + "sql_response_format": "table" + } + ], + "fields.yml": [ + { + "description": "SQL module fetches metrics from a SQL database\n", + "fields": [ + { + "fields": [ + { + "description": "Driver used to execute the query.\n", + "name": "driver", + "type": "keyword" + }, + { + "description": "Query executed to collect metrics.\n", + "name": "query", + "type": "keyword" + }, + { + "description": "Numeric metrics collected.\n", + "name": "metrics.numeric.*", + "object_type": "double", + "type": "object" + }, + { + "description": "Non-numeric values collected.\n", + "name": "metrics.string.*", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Boolean values collected.\n", + "name": "metrics.boolean.*", + "object_type": "keyword", + "type": "object" + } + ], + "name": "sql", + "type": "group" + } + ], + "key": "sql", + "release": "beta", + "title": "SQL" + } + ] + } + }, + "query": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "beta" + } + ] + } + } + } + } + } + }, + "stan": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8222" + ], + "metricsets": [ + "stats", + "subscriptions", + "channels" + ], + "module": "stan", + "period": "60s" + } + ], + "fields.yml": [ + { + "description": "stan Module\n", + "fields": [ + { + "description": "`stan` contains statistics that were read from Nats Streaming server (STAN)\n", + "fields": [ + { + "description": "The server ID\n", + "name": "server.id", + "type": "keyword" + }, + { + "description": "The cluster ID\n", + "name": "cluster.id", + "type": "keyword" + } + ], + "name": "stan", + "type": "group" + } + ], + "key": "stan", + "release": "ga", + "title": "Stan" + } + ] + } + }, + "channels": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains stan / nats streaming/serverz endpoint metrics\n", + "fields": [ + { + "description": "The name of the STAN streaming channel\n", + "name": "name", + "type": "keyword" + }, + { + "description": "The number of STAN streaming messages\n", + "name": "messages", + "type": "long" + }, + { + "description": "The number of STAN bytes in the channel\n", + "name": "bytes", + "type": "long" + }, + { + "description": "First sequence number stored in the channel. If first_seq > min([seq in subscriptions]) data loss has possibly occurred\n", + "name": "first_seq", + "type": "long" + }, + { + "description": "Last sequence number stored in the channel\n", + "name": "last_seq", + "type": "long" + }, + { + "description": "Queue depth based upon current sequence number and highest reported subscriber sequence number\n", + "name": "depth", + "type": "long" + } + ], + "name": "channels", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "stats": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains only high-level stan / nats streaming server related metrics\n", + "fields": [ + { + "description": "The cluster / streaming configuration state (STANDALONE, CLUSTERED)\n", + "name": "state", + "type": "keyword" + }, + { + "description": "If clustered, role of this node in the cluster (Leader, Follower, Candidate)\n", + "name": "role", + "type": "keyword" + }, + { + "description": "The number of STAN clients\n", + "name": "clients", + "type": "integer" + }, + { + "description": "The number of STAN streaming subscriptions\n", + "name": "subscriptions", + "type": "integer" + }, + { + "description": "The number of STAN channels\n", + "name": "channels", + "type": "integer" + }, + { + "description": "Number of messages across all STAN queues\n", + "name": "messages", + "type": "long" + }, + { + "description": "Number of bytes consumed across all STAN queues\n", + "name": "bytes", + "type": "long" + } + ], + "name": "stats", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "subscriptions": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Contains stan / nats streaming/serverz endpoint subscription metrics\n", + "fields": [ + { + "description": "The name of the STAN channel subscription (client_id)\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The name of the STAN channel the subscription is associated with\n", + "name": "channel", + "type": "keyword" + }, + { + "description": "The name of the NATS queue that the STAN channel subscription is associated with, if any\n", + "name": "queue", + "type": "keyword" + }, + { + "description": "Last known sequence number of the subscription that was acked\n", + "name": "last_sent", + "type": "long" + }, + { + "description": "Number of pending messages from / to the subscriber\n", + "name": "pending", + "type": "long" + }, + { + "description": "Is the subscriber marked as offline?\n", + "name": "offline", + "type": "boolean" + }, + { + "description": "Is the subscriber known to be stalled?\n", + "name": "stalled", + "type": "boolean" + } + ], + "name": "subscriptions", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "statsd": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "enabled": false, + "host": "localhost", + "module": "statsd", + "port": "8125" + } + ], + "fields.yml": [ + { + "description": "Statsd module\n", + "fields": [ + { + "fields": [ + { + "description": "Statsd counters\n", + "name": "*.count", + "object_type": "long", + "object_type_mapping_type": "long", + "type": "object" + }, + { + "description": "Statsd metrics\n", + "name": "*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "statsd", + "type": "group" + } + ], + "key": "statsd", + "release": "ga", + "title": "Statsd" + } + ] + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "release": "ga" + } + ] + } + } + } + } + } + }, + "system": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "metricsets": [ + "cpu", + "load", + "memory", + "network", + "process", + "process_summary", + "socket_summary" + ], + "module": "system", + "period": "10s", + "process.include_top_n": { + "by_cpu": 5, + "by_memory": 5 + } + }, + { + "metricsets": [ + "filesystem", + "fsstat" + ], + "module": "system", + "period": "1m", + "processors": [ + { + "drop_event.when.regexp": { + "system.filesystem.mount_point": "^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)" + } + } + ] + }, + { + "metricsets": [ + "uptime" + ], + "module": "system", + "period": "15m" + } + ], + "fields.yml": [ + { + "description": "System status metrics, like CPU and memory usage, that are collected from the operating system.\n", + "fields": [ + { + "description": "`system` contains local system metrics.\n", + "fields": null, + "name": "system", + "type": "group" + } + ], + "key": "system", + "release": "ga", + "short_config": true, + "title": "System" + } + ] + } + }, + "core": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`system-core` contains CPU metrics for a single core of a multi-core system.\n", + "fields": [ + { + "description": "CPU Core number.\n", + "name": "id", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in user space.\n", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in kernel space.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent on low-priority processes.\n", + "name": "nice.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent idle.\n", + "name": "idle.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in wait (on disk).\n", + "name": "iowait.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent servicing and handling hardware interrupts.\n", + "name": "irq.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent servicing and handling software interrupts.\n", + "name": "softirq.ticks", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "name": "steal.ticks", + "type": "long" + } + ], + "name": "core", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "cpu": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`cpu` contains local CPU stats.\n", + "fields": [ + { + "description": "The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%.\n", + "name": "cores", + "type": "long" + }, + { + "description": "The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%.\n", + "format": "percent", + "name": "user.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in states other than Idle and IOWait.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in user space.\n", + "format": "percent", + "name": "user.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in kernel space.\n", + "format": "percent", + "name": "system.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent on low-priority processes.\n", + "format": "percent", + "name": "nice.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent idle.\n", + "format": "percent", + "name": "idle.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in wait (on disk).\n", + "format": "percent", + "name": "iowait.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling hardware interrupts.\n", + "format": "percent", + "name": "irq.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent servicing and handling software interrupts.\n", + "format": "percent", + "name": "softirq.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "format": "percent", + "name": "steal.norm.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores.\n", + "format": "percent", + "name": "total.norm.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time spent in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in kernel space.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent on low-priority processes.\n", + "name": "nice.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent idle.\n", + "name": "idle.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in wait (on disk).\n", + "name": "iowait.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent servicing and handling hardware interrupts.\n", + "name": "irq.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent servicing and handling software interrupts.\n", + "name": "softirq.ticks", + "type": "long" + }, + { + "description": "The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.\n", + "name": "steal.ticks", + "type": "long" + } + ], + "name": "cpu", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "diskio": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`disk` contains disk IO metrics collected from the operating system.\n", + "fields": [ + { + "description": "The disk name.\n", + "example": "sda1", + "name": "name", + "type": "keyword" + }, + { + "description": "The disk's serial number. This may not be provided by all operating systems.\n", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "The total number of reads completed successfully.\n", + "name": "read.count", + "type": "long" + }, + { + "description": "The total number of writes completed successfully.\n", + "name": "write.count", + "type": "long" + }, + { + "description": "The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.\n", + "format": "bytes", + "name": "read.bytes", + "type": "long" + }, + { + "description": "The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.\n", + "format": "bytes", + "name": "write.bytes", + "type": "long" + }, + { + "description": "The total number of milliseconds spent by all reads.\n", + "name": "read.time", + "type": "long" + }, + { + "description": "The total number of milliseconds spent by all writes.\n", + "name": "write.time", + "type": "long" + }, + { + "description": "The total number of of milliseconds spent doing I/Os.\n", + "name": "io.time", + "type": "long" + }, + { + "description": "The number of read requests merged per second that were queued to the device.\n", + "name": "iostat.read.request.merges_per_sec", + "type": "float" + }, + { + "description": "The number of write requests merged per second that were queued to the device.\n", + "name": "iostat.write.request.merges_per_sec", + "type": "float" + }, + { + "description": "The number of read requests that were issued to the device per second\n", + "name": "iostat.read.request.per_sec", + "type": "float" + }, + { + "description": "The number of write requests that were issued to the device per second\n", + "name": "iostat.write.request.per_sec", + "type": "float" + }, + { + "description": "The number of Bytes read from the device per second.\n", + "format": "bytes", + "name": "iostat.read.per_sec.bytes", + "type": "float" + }, + { + "description": "The average time spent for read requests issued to the device to be served.\n", + "name": "iostat.read.await", + "type": "float" + }, + { + "description": "The number of Bytes write from the device per second.\n", + "format": "bytes", + "name": "iostat.write.per_sec.bytes", + "type": "float" + }, + { + "description": "The average time spent for write requests issued to the device to be served.\n", + "name": "iostat.write.await", + "type": "float" + }, + { + "description": "The average size (in bytes) of the requests that were issued to the device.\n", + "name": "iostat.request.avg_size", + "type": "float" + }, + { + "description": "The average queue length of the requests that were issued to the device.\n", + "name": "iostat.queue.avg_size", + "type": "float" + }, + { + "description": "The average time spent for requests issued to the device to be served.\n", + "name": "iostat.await", + "type": "float" + }, + { + "description": "The average service time (in milliseconds) for I/O requests that were issued to the device.\n", + "name": "iostat.service_time", + "type": "float" + }, + { + "description": "Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.\n", + "name": "iostat.busy", + "type": "float" + } + ], + "name": "diskio", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "entropy": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Available system entropy\n", + "fields": [ + { + "description": "The available bits of entropy\n", + "name": "available_bits", + "type": "long" + }, + { + "description": "The percentage of available entropy, relative to the pool size of 4096\n", + "format": "percent", + "name": "pct", + "type": "scaled_float" + } + ], + "name": "entropy", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "filesystem": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`filesystem` contains local filesystem stats.\n", + "fields": [ + { + "description": "The disk space available to an unprivileged user in bytes.\n", + "format": "bytes", + "name": "available", + "type": "long" + }, + { + "description": "The disk name. For example: `/dev/disk1`\n", + "name": "device_name", + "type": "keyword" + }, + { + "description": "The disk type. For example: `ext4`\n", + "name": "type", + "type": "keyword" + }, + { + "description": "The mounting point. For example: `/`\n", + "name": "mount_point", + "type": "keyword" + }, + { + "description": "The total number of file nodes in the file system.\n", + "name": "files", + "type": "long" + }, + { + "description": "The disk space available in bytes.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The number of free file nodes in the file system.\n", + "name": "free_files", + "type": "long" + }, + { + "description": "The total disk space in bytes.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "The used disk space in bytes.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "The percentage of used disk space.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "filesystem", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "fsstat": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`system.fsstat` contains filesystem metrics aggregated from all mounted filesystems.\n", + "fields": [ + { + "description": "Number of file systems found.", + "name": "count", + "type": "long" + }, + { + "description": "Total number of files.", + "name": "total_files", + "type": "long" + }, + { + "description": "Nested file system docs.", + "fields": [ + { + "description": "Total free space.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "Total used space.\n", + "format": "bytes", + "name": "used", + "type": "long" + }, + { + "description": "Total space (used plus free).\n", + "format": "bytes", + "name": "total", + "type": "long" + } + ], + "format": "bytes", + "name": "total_size", + "type": "group" + } + ], + "name": "fsstat", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "load": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "CPU load averages.\n", + "fields": [ + { + "description": "Load average for the last minute.\n", + "name": "1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 5 minutes.\n", + "name": "5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load average for the last 15 minutes.\n", + "name": "15", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last minute divided by the number of cores.\n", + "name": "norm.1", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last 5 minutes divided by the number of cores.\n", + "name": "norm.5", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "Load for the last 15 minutes divided by the number of cores.\n", + "name": "norm.15", + "scaling_factor": 100, + "type": "scaled_float" + }, + { + "description": "The number of CPU cores present on the host.\n", + "name": "cores", + "type": "long" + } + ], + "name": "load", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "memory": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`memory` contains local memory stats.\n", + "fields": [ + { + "description": "Total memory.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Used memory.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The percentage of used memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + }, + { + "description": "Actual memory used and free.\n", + "fields": [ + { + "description": "Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "The percentage of actual used memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "actual", + "type": "group" + }, + { + "description": "This group contains statistics related to the swap memory usage on the system.", + "fields": [ + { + "description": "Total swap memory.\n", + "format": "bytes", + "name": "total", + "type": "long" + }, + { + "description": "Used swap memory.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Available swap memory.\n", + "format": "bytes", + "name": "free", + "type": "long" + }, + { + "description": "count of pages swapped out", + "name": "out.pages", + "type": "long" + }, + { + "description": "count of pages swapped in", + "name": "in.pages", + "type": "long" + }, + { + "description": "swap readahead pages", + "name": "readahead.pages", + "type": "long" + }, + { + "description": "swap readahead cache hits", + "name": "readahead.cached", + "type": "long" + }, + { + "description": "The percentage of used swap memory.\n", + "format": "percent", + "name": "used.pct", + "type": "scaled_float" + } + ], + "name": "swap", + "prefix": "[float]", + "type": "group" + }, + { + "description": "memory page statistics", + "fields": [ + { + "description": "pages scanned by kswapd", + "format": "number", + "name": "pgscan_kswapd.pages", + "type": "long" + }, + { + "description": "pages scanned directly", + "format": "number", + "name": "pgscan_direct.pages", + "type": "long" + }, + { + "description": "pages freed by the system", + "format": "number", + "name": "pgfree.pages", + "type": "long" + }, + { + "description": "number of pages reclaimed by kswapd", + "format": "number", + "name": "pgsteal_kswapd.pages", + "type": "long" + }, + { + "description": "number of pages reclaimed directly", + "format": "number", + "name": "pgsteal_direct.pages", + "type": "long" + }, + { + "description": "direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.", + "format": "percent", + "name": "direct_efficiency.pct", + "type": "scaled_float" + }, + { + "description": "kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.", + "format": "percent", + "name": "kswapd_efficiency.pct", + "type": "scaled_float" + } + ], + "name": "page_stats", + "type": "group" + }, + { + "description": "This group contains statistics related to huge pages usage on the system.", + "fields": [ + { + "description": "Number of huge pages in the pool.\n", + "format": "number", + "name": "total", + "type": "long" + }, + { + "description": "Memory used in allocated huge pages.\n", + "format": "bytes", + "name": "used.bytes", + "type": "long" + }, + { + "description": "Percentage of huge pages used.\n", + "format": "percent", + "name": "used.pct", + "type": "long" + }, + { + "description": "Number of available huge pages in the pool.\n", + "format": "number", + "name": "free", + "type": "long" + }, + { + "description": "Number of reserved but not allocated huge pages in the pool.\n", + "format": "number", + "name": "reserved", + "type": "long" + }, + { + "description": "Number of overcommited huge pages.\n", + "format": "number", + "name": "surplus", + "type": "long" + }, + { + "description": "Default size for huge pages.\n", + "format": "bytes", + "name": "default_size", + "type": "long" + }, + { + "description": "huge pages swapped out", + "fields": [ + { + "description": "pages swapped out", + "name": "pages", + "type": "long" + }, + { + "description": "Count of huge pages that must be split before swapout", + "name": "fallback", + "type": "long" + } + ], + "name": "swap.out", + "type": "group" + } + ], + "name": "hugepages", + "prefix": "[float]", + "type": "group" + } + ], + "name": "memory", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "network": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`network` contains network IO metrics for a single network interface.\n", + "fields": [ + { + "description": "The network interface name.\n", + "example": "eth0", + "name": "name", + "type": "keyword" + }, + { + "description": "The number of bytes sent.\n", + "format": "bytes", + "name": "out.bytes", + "type": "long" + }, + { + "description": "The number of bytes received.\n", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "The number of packets sent.\n", + "name": "out.packets", + "type": "long" + }, + { + "description": "The number or packets received.\n", + "name": "in.packets", + "type": "long" + }, + { + "description": "The number of errors while receiving.\n", + "name": "in.errors", + "type": "long" + }, + { + "description": "The number of errors while sending.\n", + "name": "out.errors", + "type": "long" + }, + { + "description": "The number of incoming packets that were dropped.\n", + "name": "in.dropped", + "type": "long" + }, + { + "description": "The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.\n", + "name": "out.dropped", + "type": "long" + } + ], + "name": "network", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "network_summary": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Metrics relating to global network activity\n", + "fields": [ + { + "description": "IP counters\n", + "name": "ip.*", + "type": "object" + }, + { + "description": "TCP counters\n", + "name": "tcp.*", + "type": "object" + }, + { + "description": "UDP counters\n", + "name": "udp.*", + "type": "object" + }, + { + "description": "UDP Lite counters\n", + "name": "udp_lite.*", + "type": "object" + }, + { + "description": "ICMP counters\n", + "name": "icmp.*", + "type": "object" + } + ], + "name": "network_summary", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "process": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`process` contains process metadata, CPU metrics, and memory metrics.\n", + "fields": [ + { + "migration": true, + "name": "name", + "path": "process.name", + "type": "alias" + }, + { + "description": "The process state. For example: \"running\".\n", + "name": "state", + "type": "keyword" + }, + { + "migration": true, + "name": "pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "ppid", + "path": "process.ppid", + "type": "alias" + }, + { + "migration": true, + "name": "pgid", + "path": "process.pgid", + "type": "alias" + }, + { + "description": "The full command-line used to start the process, including the arguments separated by space.\n", + "ignore_above": 2048, + "name": "cmdline", + "type": "keyword" + }, + { + "migration": true, + "name": "username", + "path": "user.name", + "type": "alias" + }, + { + "migration": true, + "name": "cwd", + "path": "process.working_directory", + "type": "alias" + }, + { + "description": "The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.\n", + "name": "env", + "object_type": "keyword", + "type": "object" + }, + { + "description": "CPU-specific statistics per process.", + "fields": [ + { + "description": "The amount of CPU time the process spent in user space.\n", + "name": "user.ticks", + "type": "long" + }, + { + "description": "The value of CPU usage since starting the process.\n", + "name": "total.value", + "type": "long" + }, + { + "description": "The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.\n", + "format": "percent", + "name": "total.pct", + "type": "scaled_float" + }, + { + "description": "The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.\n", + "format": "percent", + "name": "total.norm.pct", + "type": "scaled_float" + }, + { + "description": "The amount of CPU time the process spent in kernel space.\n", + "name": "system.ticks", + "type": "long" + }, + { + "description": "The total CPU time spent by the process.\n", + "name": "total.ticks", + "type": "long" + }, + { + "description": "The time when the process was started.\n", + "name": "start_time", + "type": "date" + } + ], + "name": "cpu", + "prefix": "[float]", + "type": "group" + }, + { + "description": "Memory-specific statistics per process.", + "fields": [ + { + "description": "The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process.\n", + "format": "bytes", + "name": "size", + "type": "long" + }, + { + "description": "The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes.\n", + "format": "bytes", + "name": "rss.bytes", + "type": "long" + }, + { + "description": "The percentage of memory the process occupied in main memory (RAM).\n", + "format": "percent", + "name": "rss.pct", + "type": "scaled_float" + }, + { + "description": "The shared memory the process uses.\n", + "format": "bytes", + "name": "share", + "type": "long" + } + ], + "name": "memory", + "prefix": "[float]", + "type": "group" + }, + { + "description": "File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.\n", + "fields": [ + { + "description": "The number of file descriptors open by the process.", + "name": "open", + "type": "long" + }, + { + "description": "The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.\n", + "name": "limit.soft", + "type": "long" + }, + { + "description": "The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.\n", + "name": "limit.hard", + "type": "long" + } + ], + "name": "fd", + "prefix": "[float]", + "type": "group" + }, + { + "description": "Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.\n", + "fields": [ + { + "description": "The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period.\n", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated.\n", + "name": "cfs.period.us", + "type": "long" + }, + { + "description": "Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).\n", + "name": "cfs.quota.us", + "type": "long" + }, + { + "description": "An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.\n", + "name": "cfs.shares", + "type": "long" + }, + { + "description": "Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated.\n", + "name": "rt.period.us", + "type": "long" + }, + { + "description": "Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.\n", + "name": "rt.runtime.us", + "type": "long" + }, + { + "description": "Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.\n", + "name": "stats.periods", + "type": "long" + }, + { + "description": "Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).\n", + "name": "stats.throttled.periods", + "type": "long" + }, + { + "description": "The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.\n", + "name": "stats.throttled.ns", + "type": "long" + } + ], + "name": "cpu", + "type": "group" + }, + { + "description": "CPU accounting metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total CPU time in nanoseconds consumed by all tasks in the cgroup.\n", + "name": "total.ns", + "type": "long" + }, + { + "description": "CPU time consumed by tasks in user mode.", + "name": "stats.user.ns", + "type": "long" + }, + { + "description": "CPU time consumed by tasks in user (kernel) mode.", + "name": "stats.system.ns", + "type": "long" + }, + { + "description": "CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.\n", + "name": "percpu", + "object_type": "long", + "type": "object" + } + ], + "name": "cpuacct", + "type": "group" + }, + { + "description": "Memory limits and metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystem's mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total memory usage by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "mem.usage.bytes", + "type": "long" + }, + { + "description": "The maximum memory used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "mem.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "mem.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (mem.limit.bytes) was reached.\n", + "name": "mem.failures", + "type": "long" + }, + { + "description": "The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "memsw.usage.bytes", + "type": "long" + }, + { + "description": "The maximum amount of memory and swap space used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "memsw.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "memsw.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.\n", + "name": "memsw.failures", + "type": "long" + }, + { + "description": "Total kernel memory usage by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem.usage.bytes", + "type": "long" + }, + { + "description": "The maximum kernel memory used by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of kernel memory that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "kmem.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (kmem.limit.bytes) was reached.\n", + "name": "kmem.failures", + "type": "long" + }, + { + "description": "Total memory usage for TCP buffers in bytes.\n", + "format": "bytes", + "name": "kmem_tcp.usage.bytes", + "type": "long" + }, + { + "description": "The maximum memory used for TCP buffers by processes in the cgroup (in bytes).\n", + "format": "bytes", + "name": "kmem_tcp.usage.max.bytes", + "type": "long" + }, + { + "description": "The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.\n", + "format": "bytes", + "name": "kmem_tcp.limit.bytes", + "type": "long" + }, + { + "description": "The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.\n", + "name": "kmem_tcp.failures", + "type": "long" + }, + { + "description": "Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.active_anon.bytes", + "type": "long" + }, + { + "description": "File-backed memory on active LRU list, in bytes.", + "format": "bytes", + "name": "stats.active_file.bytes", + "type": "long" + }, + { + "description": "Page cache, including tmpfs (shmem), in bytes.", + "format": "bytes", + "name": "stats.cache.bytes", + "type": "long" + }, + { + "description": "Memory limit for the hierarchy that contains the memory cgroup, in bytes.\n", + "format": "bytes", + "name": "stats.hierarchical_memory_limit.bytes", + "type": "long" + }, + { + "description": "Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.\n", + "format": "bytes", + "name": "stats.hierarchical_memsw_limit.bytes", + "type": "long" + }, + { + "description": "Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes\n", + "format": "bytes", + "name": "stats.inactive_anon.bytes", + "type": "long" + }, + { + "description": "File-backed memory on inactive LRU list, in bytes.\n", + "format": "bytes", + "name": "stats.inactive_file.bytes", + "type": "long" + }, + { + "description": "Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.mapped_file.bytes", + "type": "long" + }, + { + "description": "Number of times that a process in the cgroup triggered a page fault.\n", + "name": "stats.page_faults", + "type": "long" + }, + { + "description": "Number of times that a process in the cgroup triggered a major fault. \"Major\" faults happen when the kernel actually has to read the data from disk.\n", + "name": "stats.major_page_faults", + "type": "long" + }, + { + "description": "Number of pages paged into memory. This is a counter.\n", + "name": "stats.pages_in", + "type": "long" + }, + { + "description": "Number of pages paged out of memory. This is a counter.\n", + "name": "stats.pages_out", + "type": "long" + }, + { + "description": "Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.\n", + "format": "bytes", + "name": "stats.rss.bytes", + "type": "long" + }, + { + "description": "Number of bytes of anonymous transparent hugepages.\n", + "format": "bytes", + "name": "stats.rss_huge.bytes", + "type": "long" + }, + { + "description": "Swap usage, in bytes.\n", + "format": "bytes", + "name": "stats.swap.bytes", + "type": "long" + }, + { + "description": "Memory that cannot be reclaimed, in bytes.\n", + "format": "bytes", + "name": "stats.unevictable.bytes", + "type": "long" + } + ], + "name": "memory", + "type": "group" + }, + { + "description": "Block IO metrics.", + "fields": [ + { + "description": "ID of the cgroup.", + "name": "id", + "type": "keyword" + }, + { + "description": "Path to the cgroup relative to the cgroup subsystems mountpoint.\n", + "name": "path", + "type": "keyword" + }, + { + "description": "Total number of bytes transferred to and from all block devices by processes in the cgroup.\n", + "format": "bytes", + "name": "total.bytes", + "type": "long" + }, + { + "description": "Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.\n", + "name": "total.ios", + "type": "long" + } + ], + "name": "blkio", + "type": "group" + } + ], + "name": "cgroup", + "type": "group" + } + ], + "name": "process", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "process_summary": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Summary metrics for the processes running on the host.\n", + "fields": [ + { + "description": "Total number of processes on this host.\n", + "name": "total", + "type": "long" + }, + { + "description": "Number of running processes on this host.\n", + "name": "running", + "type": "long" + }, + { + "description": "Number of idle processes on this host.\n", + "name": "idle", + "type": "long" + }, + { + "description": "Number of sleeping processes on this host.\n", + "name": "sleeping", + "type": "long" + }, + { + "description": "Number of stopped processes on this host.\n", + "name": "stopped", + "type": "long" + }, + { + "description": "Number of zombie processes on this host.\n", + "name": "zombie", + "type": "long" + }, + { + "description": "Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen.\n", + "name": "dead", + "type": "long" + }, + { + "description": "Number of processes for which the state couldn't be retrieved or is unknown.\n", + "name": "unknown", + "type": "long" + } + ], + "name": "process.summary", + "release": "ga", + "title": "Process Summary", + "type": "group" + } + ] + } + } + } + }, + "raid": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "raid\n", + "fields": [ + { + "description": "Name of the device.\n", + "name": "name", + "type": "keyword" + }, + { + "description": "activity-state of the device.\n", + "name": "status", + "type": "keyword" + }, + { + "description": "The raid level of the device\n", + "name": "level", + "type": "keyword" + }, + { + "description": "Current sync action, if the RAID array is redundant \n", + "name": "sync_action", + "type": "keyword" + }, + { + "description": "Number of active disks.\n", + "name": "disks.active", + "type": "long" + }, + { + "description": "Total number of disks the device consists of.\n", + "name": "disks.total", + "type": "long" + }, + { + "description": "Number of spared disks.\n", + "name": "disks.spare", + "type": "long" + }, + { + "description": "Number of failed disks.\n", + "name": "disks.failed", + "type": "long" + }, + { + "description": "map of raw disk states\n", + "name": "disks.states.*", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Number of blocks the device holds, in 1024-byte blocks.\n", + "name": "blocks.total", + "type": "long" + }, + { + "description": "Number of blocks on the device that are in sync, in 1024-byte blocks.\n", + "name": "blocks.synced", + "type": "long" + } + ], + "name": "raid", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "service": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "metrics for system services\n", + "fields": [ + { + "description": "The name of the service", + "name": "name", + "type": "keyword" + }, + { + "description": "The load state of the service", + "name": "load_state", + "type": "keyword" + }, + { + "description": "The activity state of the service", + "name": "state", + "type": "keyword" + }, + { + "description": "The sub-state of the service", + "name": "sub_state", + "type": "keyword" + }, + { + "description": "The timestamp of the last state change. If the service is active and running, this is its uptime.", + "name": "state_since", + "type": "date" + }, + { + "description": "The SIGCHLD code from the service's main process", + "name": "exec_code", + "type": "keyword" + }, + { + "description": "system metrics associated with the service", + "fields": [ + { + "description": "CPU usage in nanoseconds", + "name": "cpu.usage.ns", + "type": "long" + }, + { + "description": "memory usage in bytes", + "name": "memory.usage.bytes", + "type": "long" + }, + { + "description": "number of tasks associated with the service", + "name": "tasks.count", + "type": "long" + }, + { + "description": "network resource usage", + "fields": [ + { + "description": "bytes in", + "format": "bytes", + "name": "in.bytes", + "type": "long" + }, + { + "description": "packets in", + "format": "bytes", + "name": "in.packets", + "type": "long" + }, + { + "description": "packets out", + "name": "out.packets", + "type": "long" + }, + { + "description": "bytes out", + "name": "out.bytes", + "type": "long" + } + ], + "name": "network", + "type": "group" + } + ], + "name": "resources", + "type": "group" + } + ], + "name": "service", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "socket": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "TCP sockets that are active.\n", + "fields": [ + { + "migration": true, + "name": "direction", + "path": "network.direction", + "type": "alias" + }, + { + "migration": true, + "name": "family", + "path": "network.type", + "type": "alias" + }, + { + "description": "Local IP address. This can be an IPv4 or IPv6 address.\n", + "example": "192.0.2.1 or 2001:0DB8:ABED:8536::1", + "name": "local.ip", + "type": "ip" + }, + { + "description": "Local port.\n", + "example": 22, + "name": "local.port", + "type": "long" + }, + { + "description": "Remote IP address. This can be an IPv4 or IPv6 address.\n", + "example": "192.0.2.1 or 2001:0DB8:ABED:8536::1", + "name": "remote.ip", + "type": "ip" + }, + { + "description": "Remote port.\n", + "example": 22, + "name": "remote.port", + "type": "long" + }, + { + "description": "PTR record associated with the remote IP. It is obtained via reverse IP lookup.\n", + "example": "76-211-117-36.nw.example.com.", + "name": "remote.host", + "type": "keyword" + }, + { + "description": "The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for \"foo.bar.golang.org.\" is \"golang.org.\". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.\n", + "example": "example.com.", + "name": "remote.etld_plus_one", + "type": "keyword" + }, + { + "description": "Error describing the cause of the reverse lookup failure.\n", + "name": "remote.host_error", + "type": "keyword" + }, + { + "migration": true, + "name": "process.pid", + "path": "process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "process.command", + "path": "process.name", + "type": "alias" + }, + { + "description": "Full command line\n", + "name": "process.cmdline", + "type": "keyword" + }, + { + "migration": true, + "name": "process.exe", + "path": "process.executable", + "type": "alias" + }, + { + "migration": true, + "name": "user.id", + "path": "user.id", + "type": "alias" + }, + { + "migration": true, + "name": "user.name", + "path": "user.full_name", + "type": "alias" + } + ], + "name": "socket", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "socket_summary": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Summary metrics of open sockets in the host system\n", + "fields": [ + { + "description": "All connections\n", + "fields": [ + { + "description": "All open connections\n", + "name": "count", + "type": "integer" + }, + { + "description": "All listening ports\n", + "name": "listening", + "type": "integer" + } + ], + "name": "all", + "type": "group" + }, + { + "description": "All TCP connections\n", + "fields": [ + { + "description": "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n", + "format": "bytes", + "name": "memory", + "type": "integer" + }, + { + "description": "All TCP connections\n", + "fields": [ + { + "description": "A count of all orphaned tcp sockets. Only available on Linux.\n", + "name": "orphan", + "type": "integer" + }, + { + "description": "All open TCP connections\n", + "name": "count", + "type": "integer" + }, + { + "description": "All TCP listening ports\n", + "name": "listening", + "type": "integer" + }, + { + "description": "Number of established TCP connections\n", + "name": "established", + "type": "integer" + }, + { + "description": "Number of TCP connections in _close_wait_ state\n", + "name": "close_wait", + "type": "integer" + }, + { + "description": "Number of TCP connections in _time_wait_ state\n", + "name": "time_wait", + "type": "integer" + } + ], + "name": "all", + "type": "group" + } + ], + "name": "tcp", + "type": "group" + }, + { + "description": "All UDP connections\n", + "fields": [ + { + "description": "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n", + "format": "bytes", + "name": "memory", + "type": "integer" + }, + { + "description": "All UDP connections\n", + "fields": [ + { + "description": "All open UDP connections\n", + "name": "count", + "type": "integer" + } + ], + "name": "all", + "type": "group" + } + ], + "name": "udp", + "type": "group" + } + ], + "name": "socket.summary", + "release": "ga", + "title": "Socket summary", + "type": "group" + } + ] + } + } + } + }, + "uptime": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`uptime` contains the operating system uptime metric.\n", + "fields": [ + { + "description": "The OS uptime in milliseconds.\n", + "format": "duration", + "input_format": "milliseconds", + "name": "duration.ms", + "type": "long" + } + ], + "name": "uptime", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "users": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Logged-in user session data\n", + "fields": [ + { + "description": "The ID of the session\n", + "name": "id", + "type": "keyword" + }, + { + "description": "An associated logind seat\n", + "name": "seat", + "type": "keyword" + }, + { + "description": "The DBus object path of the session\n", + "name": "path", + "type": "keyword" + }, + { + "description": "The type of the user session\n", + "name": "type", + "type": "keyword" + }, + { + "description": "A session associated with the service\n", + "name": "service", + "type": "keyword" + }, + { + "description": "A bool indicating a remote session\n", + "name": "remote", + "type": "boolean" + }, + { + "description": "The current state of the session\n", + "name": "state", + "type": "keyword" + }, + { + "description": "The associated systemd scope\n", + "name": "scope", + "type": "keyword" + }, + { + "description": "The root PID of the session\n", + "name": "leader", + "type": "long" + }, + { + "description": "A remote host address for the session\n", + "name": "remote_host", + "type": "keyword" + } + ], + "name": "users", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "tomcat": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8080" + ], + "metricsets": [ + "threading", + "cache", + "memory", + "requests" + ], + "module": "tomcat", + "path": "/jolokia/?ignoreErrors=true&canonicalNaming=false", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Tomcat module\n", + "fields": [ + { + "fields": null, + "name": "tomcat", + "type": "group" + } + ], + "key": "tomcat", + "release": "beta", + "title": "Tomcat" + } + ] + } + }, + "cache": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Catalina Cache metrics from the WebResourceRoot", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "The number of requests for resources that were served from the cache", + "name": "hit.total", + "type": "long" + }, + { + "description": "The current estimate of the cache size in kilobytes", + "name": "size.total.kb", + "type": "long" + }, + { + "description": "The maximum permitted size of the cache in kilobytes", + "name": "size.max.kb", + "type": "long" + }, + { + "description": "The number of requests for resources", + "name": "lookup.total", + "type": "long" + }, + { + "description": "The time-to-live for cache entries in milliseconds", + "name": "ttl.ms", + "type": "long" + } + ], + "name": "cache", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "memory": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Memory metrics from java.lang JMX", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "Committed heap memory usage", + "name": "heap.usage.committed", + "type": "long" + }, + { + "description": "Max heap memory usage", + "name": "heap.usage.max", + "type": "long" + }, + { + "description": "Used heap memory usage", + "name": "heap.usage.used", + "type": "long" + }, + { + "description": "Initial heap memory usage", + "name": "heap.usage.init", + "type": "long" + }, + { + "description": "Committed non-heap memory usage", + "name": "other.usage.committed", + "type": "long" + }, + { + "description": "Max non-heap memory usage", + "name": "other.usage.max", + "type": "long" + }, + { + "description": "Used non-heap memory usage", + "name": "other.usage.used", + "type": "long" + }, + { + "description": "Initial non-heap memory usage", + "name": "other.usage.init", + "type": "long" + } + ], + "name": "memory", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "requests": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Requests processor metrics from GlobalRequestProcessor JMX", + "fields": [ + { + "description": "Mbean that this event is related to", + "name": "mbean", + "type": "keyword" + }, + { + "description": "Number of requests processed", + "name": "total", + "type": "long" + }, + { + "description": "Amount of data received, in bytes", + "name": "bytes.received", + "type": "long" + }, + { + "description": "Amount of data sent, in bytes", + "name": "bytes.sent", + "type": "long" + }, + { + "description": "Total time to process the requests", + "name": "processing.ms", + "type": "long" + }, + { + "description": "Number of errors", + "name": "errors.total", + "type": "long" + } + ], + "name": "requests", + "release": "beta", + "type": "group" + } + ] + } + } + } + }, + "threading": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Threading metrics from the Catalina's ThreadPool JMX", + "fields": [ + { + "description": "Current busy threads from the ThreadPool", + "name": "busy", + "type": "long" + }, + { + "description": "Max threads from the ThreadPool", + "name": "max", + "type": "long" + }, + { + "description": "Current number of threads, taken from the ThreadPool", + "name": "current", + "type": "long" + }, + { + "description": "Total keep alive on the ThreadPool", + "name": "keep_alive.total", + "type": "long" + }, + { + "description": "Keep alive timeout on the ThreadPool", + "name": "keep_alive.timeout.ms", + "type": "long" + }, + { + "description": "Current started threads at JVM level (from java.lang:type=Threading)", + "name": "started.total", + "type": "long" + }, + { + "description": "User time in milliseconds (from java.lang:type=Threading)", + "name": "user.time.ms", + "type": "long" + }, + { + "description": "CPU time in milliseconds (from java.lang:type=Threading)", + "name": "cpu.time.ms", + "type": "long" + }, + { + "description": "Total threads at the JVM level (from java.lang:type=Threading)", + "name": "total", + "type": "long" + }, + { + "description": "Peak number of threads at JVM level (from java.lang:type=Threading)", + "name": "peak", + "type": "long" + } + ], + "name": "threading", + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + }, + "traefik": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:8080" + ], + "metricsets": [ + "health" + ], + "module": "traefik", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "Traefik reverse proxy / load balancer metrics\n", + "fields": [ + { + "description": "Traefik reverse proxy / load balancer metrics\n", + "fields": null, + "name": "traefik", + "type": "group" + } + ], + "key": "traefik", + "release": "ga", + "title": "Traefik" + } + ] + } + }, + "health": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Metrics obtained from Traefik's health API endpoint\n", + "fields": [ + { + "description": "Uptime of Traefik instance in seconds\n", + "name": "uptime.sec", + "type": "long" + }, + { + "description": "Response metrics\n", + "fields": [ + { + "description": "Number of responses\n", + "name": "count", + "type": "long" + }, + { + "description": "Average response time in microseconds\n", + "name": "avg_time.us", + "type": "long" + }, + { + "description": "Number of responses per status code\n", + "name": "status_codes.*", + "object_type": "long", + "type": "object" + } + ], + "name": "response", + "type": "group" + } + ], + "name": "health", + "release": "ga", + "type": "group" + } + ] + }, + "folders": { + "testdata": { + "files": { + "config.yml": { + "type": "http", + "url": "/health" + } + } + } + } + } + } + } + } + }, + "uwsgi": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "tcp://127.0.0.1:9191" + ], + "module": "uwsgi", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "uwsgi module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "uwsgi", + "type": "group" + } + ], + "key": "uwsgi", + "release": "ga", + "title": "uWSGI" + } + ] + } + }, + "status": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "uwsgi.status metricset fields\n", + "fields": [ + { + "description": "Total requests handled\n", + "name": "total.requests", + "type": "long" + }, + { + "description": "Total exceptions\n", + "name": "total.exceptions", + "type": "long" + }, + { + "description": "Total requests write errors\n", + "name": "total.write_errors", + "type": "long" + }, + { + "description": "Total read errors\n", + "name": "total.read_errors", + "type": "long" + }, + { + "description": "Process id\n", + "name": "total.pid", + "type": "long" + }, + { + "description": "Worker id\n", + "name": "worker.id", + "type": "long" + }, + { + "description": "Worker process id\n", + "name": "worker.pid", + "type": "long" + }, + { + "description": "State of worker, 1 if still accepting new requests otherwise 0\n", + "name": "worker.accepting", + "type": "long" + }, + { + "description": "Number of requests served by this worker\n", + "name": "worker.requests", + "type": "long" + }, + { + "description": "Number of requests served by this worker after worker is reloaded when reached MAX_REQUESTS\n", + "name": "worker.delta_requests", + "type": "long" + }, + { + "description": "Exceptions raised\n", + "name": "worker.exceptions", + "type": "long" + }, + { + "description": "Dropped requests by timeout\n", + "name": "worker.harakiri_count", + "type": "long" + }, + { + "description": "Emitted signals count\n", + "name": "worker.signals", + "type": "long" + }, + { + "description": "Number of signals waiting to be handled\n", + "name": "worker.signal_queue", + "type": "long" + }, + { + "description": "Worker status (cheap, pause, sig, busy, idle)\n", + "name": "worker.status", + "type": "keyword" + }, + { + "description": "Resident Set Size. memory currently used by a process. if always zero try `--memory-report` option of uwsgi\n", + "name": "worker.rss", + "type": "keyword" + }, + { + "description": "Virtual Set Size. memory size assigned to a process. if always zero try `--memory-report` option of uwsgi\n", + "name": "worker.vsz", + "type": "long" + }, + { + "description": "Process running time\n", + "name": "worker.running_time", + "type": "long" + }, + { + "description": "Respawn count\n", + "name": "worker.respawn_count", + "type": "long" + }, + { + "description": "Transmitted size\n", + "name": "worker.tx", + "type": "long" + }, + { + "description": "Average response time\n", + "name": "worker.avg_rt", + "type": "long" + }, + { + "description": "worker ID\n", + "name": "core.id", + "type": "long" + }, + { + "description": "Parent worker PID\n", + "name": "core.worker_pid", + "type": "long" + }, + { + "description": "Number of total requests served\n", + "name": "core.requests.total", + "type": "long" + }, + { + "description": "Number of static file serves\n", + "name": "core.requests.static", + "type": "long" + }, + { + "description": "Routed requests\n", + "name": "core.requests.routed", + "type": "long" + }, + { + "description": "Offloaded requests\n", + "name": "core.requests.offloaded", + "type": "long" + }, + { + "description": "Number of failed writes\n", + "name": "core.write_errors", + "type": "long" + }, + { + "description": "Number of failed reads\n", + "name": "core.read_errors", + "type": "long" + } + ], + "name": "status", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "vsphere": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "https://localhost/sdk" + ], + "insecure": false, + "module": "vsphere", + "password": "password", + "period": "10s", + "username": "user" + } + ], + "fields.yml": [ + { + "description": "vSphere module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "vsphere", + "type": "group" + } + ], + "key": "vsphere", + "release": "ga", + "title": "vSphere" + } + ] + } + }, + "datastore": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "datastore\n", + "fields": [ + { + "description": "Datastore name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Filesystem type\n", + "name": "fstype", + "type": "keyword" + }, + { + "description": "Total bytes of the datastore\n", + "format": "bytes", + "name": "capacity.total.bytes", + "type": "long" + }, + { + "description": "Free bytes of the datastore\n", + "format": "bytes", + "name": "capacity.free.bytes", + "type": "long" + }, + { + "description": "Used bytes of the datastore\n", + "format": "bytes", + "name": "capacity.used.bytes", + "type": "long" + }, + { + "description": "Used percent of the datastore\n", + "format": "percent", + "name": "capacity.used.pct", + "type": "long" + } + ], + "name": "datastore", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "host": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "host\n", + "fields": [ + { + "description": "Host name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Used CPU in Mhz\n", + "name": "cpu.used.mhz", + "type": "long" + }, + { + "description": "Total CPU in Mhz\n", + "name": "cpu.total.mhz", + "type": "long" + }, + { + "description": "Free CPU in Mhz\n", + "name": "cpu.free.mhz", + "type": "long" + }, + { + "description": "Used Memory in bytes\n", + "format": "bytes", + "name": "memory.used.bytes", + "type": "long" + }, + { + "description": "Total Memory in bytes\n", + "format": "bytes", + "name": "memory.total.bytes", + "type": "long" + }, + { + "description": "Free Memory in bytes\n", + "format": "bytes", + "name": "memory.free.bytes", + "type": "long" + }, + { + "description": "Network names\n", + "name": "network_names", + "type": "keyword" + } + ], + "name": "host", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "virtualmachine": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "virtualmachine\n", + "fields": [ + { + "description": "Host id\n", + "name": "host.id", + "type": "keyword" + }, + { + "description": "Host name of the host\n", + "name": "host.hostname", + "type": "keyword" + }, + { + "description": "Virtual Machine name\n", + "name": "name", + "type": "keyword" + }, + { + "description": "Virtual Machine Operating System name\n", + "name": "os", + "type": "keyword" + }, + { + "description": "Used CPU in Mhz\n", + "name": "cpu.used.mhz", + "type": "long" + }, + { + "description": "Used Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.used.guest.bytes", + "type": "long" + }, + { + "description": "Used Memory of Host in bytes\n", + "format": "bytes", + "name": "memory.used.host.bytes", + "type": "long" + }, + { + "description": "Total Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.total.guest.bytes", + "type": "long" + }, + { + "description": "Free Memory of Guest in bytes\n", + "format": "bytes", + "name": "memory.free.guest.bytes", + "type": "long" + }, + { + "description": "Custom fields\n", + "name": "custom_fields", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Network names\n", + "name": "network_names", + "type": "keyword" + } + ], + "name": "virtualmachine", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "windows": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "metricsets": [ + "service" + ], + "module": "windows", + "period": "1m" + } + ], + "fields.yml": [ + { + "description": "Module for Windows\n", + "fields": [ + { + "description": "", + "fields": null, + "name": "windows", + "type": "group" + } + ], + "key": "windows", + "release": "ga", + "short_config": false, + "title": "Windows" + } + ] + } + }, + "perfmon": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "perfmon\n", + "fields": [ + { + "description": "Instance value.\n", + "name": "instance", + "type": "keyword" + }, + { + "description": "Metric values returned.\n", + "name": "metrics.*.*", + "object_type": "float", + "object_type_mapping_type": "*", + "type": "object" + } + ], + "name": "perfmon", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "service": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`service` contains the status for Windows services.\n", + "fields": [ + { + "description": "A unique ID for the service. It is a hash of the machine's GUID and the service name.\n", + "example": "hW3NJFc1Ap", + "name": "id", + "type": "keyword" + }, + { + "description": "The service name.\n", + "example": "Wecsvc", + "name": "name", + "type": "keyword" + }, + { + "description": "The display name of the service.\n", + "example": "Windows Event Collector", + "name": "display_name", + "type": "keyword" + }, + { + "description": "The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`.\n", + "name": "start_type", + "type": "keyword" + }, + { + "description": "Account name under which a service runs.\n", + "example": "NT AUTHORITY\\LocalService", + "name": "start_name", + "type": "keyword" + }, + { + "description": "Fully qualified path to the file that implements the service, including arguments.\n", + "example": "C:\\WINDOWS\\system32\\svchost.exe -k LocalService -p", + "name": "path_name", + "type": "keyword" + }, + { + "description": "The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`.\n", + "name": "state", + "type": "keyword" + }, + { + "description": "For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code.\n", + "name": "exit_code", + "type": "keyword" + }, + { + "description": "For `Running` services this is the associated process PID.\n", + "example": 1092, + "name": "pid", + "type": "long" + }, + { + "description": "The service's uptime specified in milliseconds.\n", + "format": "duration", + "input_format": "milliseconds", + "name": "uptime.ms", + "type": "long" + } + ], + "name": "service", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + }, + "zookeeper": { + "folders": { + "_meta": { + "files": { + "config.yml": [ + { + "hosts": [ + "localhost:2181" + ], + "module": "zookeeper", + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "ZooKeeper metrics collected by the four-letter monitoring commands.\n", + "fields": [ + { + "description": "`zookeeper` contains the metrics reported by ZooKeeper commands.\n", + "fields": null, + "name": "zookeeper", + "type": "group" + } + ], + "key": "zookeeper", + "release": "ga", + "short_config": false, + "title": "ZooKeeper" + } + ] + } + }, + "connection": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "connections\n", + "fields": [ + { + "description": "Interest ops\n", + "name": "interest_ops", + "type": "long" + }, + { + "description": "Queued connections\n", + "name": "queued", + "type": "long" + }, + { + "description": "Received connections\n", + "name": "received", + "type": "long" + }, + { + "description": "Connections sent\n", + "name": "sent", + "type": "long" + } + ], + "name": "connection", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "mntr": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "`mntr` contains the metrics reported by the four-letter `mntr` command.\n", + "fields": [ + { + "description": "ZooKeeper hostname.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "Approximate size of ZooKeeper data.\n", + "name": "approximate_data_size", + "type": "long" + }, + { + "description": "Average latency between ensemble hosts in milliseconds.\n", + "name": "latency.avg", + "type": "long" + }, + { + "description": "Number of ephemeral znodes.\n", + "name": "ephemerals_count", + "type": "long" + }, + { + "description": "Number of followers seen by the current host.\n", + "name": "followers", + "type": "long" + }, + { + "description": "Maximum number of file descriptors allowed for the ZooKeeper process.\n", + "name": "max_file_descriptor_count", + "type": "long" + }, + { + "description": "Maximum latency in milliseconds.\n", + "name": "latency.max", + "type": "long" + }, + { + "description": "Minimum latency in milliseconds.\n", + "name": "latency.min", + "type": "long" + }, + { + "description": "Number of connections to ZooKeeper that are currently alive.\n", + "name": "num_alive_connections", + "type": "long" + }, + { + "description": "Number of file descriptors open by the ZooKeeper process.\n", + "name": "open_file_descriptor_count", + "type": "long" + }, + { + "description": "Number of outstanding requests that need to be processed by the cluster.\n", + "name": "outstanding_requests", + "type": "long" + }, + { + "description": "Number of ZooKeeper network packets received.\n", + "name": "packets.received", + "type": "long" + }, + { + "description": "Number of ZooKeeper network packets sent.\n", + "name": "packets.sent", + "type": "long" + }, + { + "description": "Number of pending syncs to carry out to ZooKeeper ensemble followers.\n", + "name": "pending_syncs", + "type": "long" + }, + { + "description": "Role in the ZooKeeper ensemble.\n", + "name": "server_state", + "type": "keyword" + }, + { + "description": "Number of synced followers reported when a node server_state is leader.\n", + "name": "synced_followers", + "type": "long" + }, + { + "description": "ZooKeeper version and build string reported.\n", + "name": "version", + "path": "service.version", + "type": "alias" + }, + { + "description": "Number of watches currently set on the local ZooKeeper process.\n", + "name": "watch_count", + "type": "long" + }, + { + "description": "Number of znodes reported by the local ZooKeeper process.\n", + "name": "znode_count", + "type": "long" + } + ], + "name": "mntr", + "release": "ga", + "type": "group" + } + ] + } + } + } + }, + "server": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "server contains the metrics reported by the four-letter `srvr` command.", + "fields": [ + { + "description": "Number of clients currently connected to the server", + "name": "connections", + "type": "long" + }, + { + "fields": [ + { + "description": "Average amount of time taken for the server to respond to a client request", + "name": "avg", + "type": "long" + }, + { + "description": "Maximum amount of time taken for the server to respond to a client request", + "name": "max", + "type": "long" + }, + { + "description": "Minimum amount of time taken for the server to respond to a client request", + "name": "min", + "type": "long" + } + ], + "name": "latency", + "type": "group" + }, + { + "description": "Mode of the server. In an ensemble, this may either be leader or follower. Otherwise, it is standalone", + "name": "mode", + "type": "keyword" + }, + { + "description": "Total number of nodes", + "name": "node_count", + "type": "long" + }, + { + "description": "Number of requests queued at the server. This exceeds zero when the server receives more requests than it is able to process", + "name": "outstanding", + "type": "long" + }, + { + "description": "Number of requests received by the server", + "name": "received", + "type": "long" + }, + { + "description": "Number of requests sent by the server", + "name": "sent", + "type": "long" + }, + { + "description": "Date of the Zookeeper release currently in use", + "name": "version_date", + "type": "date" + }, + { + "description": "Unique value of the Zookeeper transaction ID. The zxid consists of an epoch and a counter. It is established by the leader and is used to determine the temporal ordering of changes", + "name": "zxid", + "type": "keyword" + }, + { + "description": "Total transactions of the leader in epoch", + "name": "count", + "type": "long" + }, + { + "description": "Epoch value of the Zookeeper transaction ID. An epoch signifies the period in which a server is a leader", + "name": "epoch", + "type": "long" + } + ], + "name": "server", + "release": "ga", + "type": "group" + } + ] + } + } + } + } + } + } + } + }, + "scripts": { + "folders": { + "module": { + "files": { + "config.yml": [ + { + "enabled": false, + "hosts": [ + "localhost" + ], + "metricsets": [ + "{metricset}" + ], + "module": { + "module": null + }, + "period": "10s" + } + ], + "fields.yml": [ + { + "description": "{module} module\n", + "fields": [ + { + "description": "", + "fields": null, + "name": { + "module": null + }, + "type": "group" + } + ], + "key": { + "module": null + }, + "release": "beta", + "title": "{module}" + } + ] + }, + "folders": { + "metricset": { + "files": { + "fields.yml": [ + { + "description": "{metricset}\n", + "fields": [ + { + "description": "Example field\n", + "name": "example", + "type": "keyword" + } + ], + "name": { + "metricset": null + }, + "release": "beta", + "type": "group" + } + ] + } + } + } + } + } + } + } + }, + "packetbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "These fields contain data about the environment in which the transaction or flow was captured.\n", + "fields": [ + { + "description": "The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or \"flow\" in case of flows.\n", + "name": "type", + "required": true + }, + { + "description": "The name of the process that served the transaction.\n", + "name": "server.process.name" + }, + { + "description": "The command-line of the process that served the transaction.\n", + "name": "server.process.args" + }, + { + "description": "Absolute path to the server process executable.\n", + "name": "server.process.executable" + }, + { + "description": "The working directory of the server process.\n", + "name": "server.process.working_directory" + }, + { + "description": "The time the server process started.\n", + "name": "server.process.start" + }, + { + "description": "The name of the process that initiated the transaction.\n", + "name": "client.process.name" + }, + { + "description": "The command-line of the process that initiated the transaction.\n", + "name": "client.process.args" + }, + { + "description": "Absolute path to the client process executable.\n", + "name": "client.process.executable" + }, + { + "description": "The working directory of the client process.\n", + "name": "client.process.working_directory" + }, + { + "description": "The time the client process started.\n", + "name": "client.process.start" + }, + { + "description": "If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`.\nUnless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.\n", + "migration": true, + "name": "real_ip", + "path": "network.forwarded_ip", + "type": "alias" + }, + { + "description": "The transport protocol used for the transaction. If not specified, then tcp is assumed.\n", + "migration": true, + "name": "transport", + "path": "network.transport", + "type": "alias" + } + ], + "key": "common", + "title": "Common" + }, + { + "description": "These fields contain data about the flow itself.\n", + "fields": [ + { + "description": "Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.\n", + "name": "flow.final", + "type": "boolean" + }, + { + "description": "Internal flow ID based on connection meta data and address.\n", + "name": "flow.id" + }, + { + "description": "VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first.\n", + "name": "flow.vlan", + "type": "long" + }, + { + "migration": true, + "name": "flow_id", + "path": "flow.id", + "type": "alias" + }, + { + "migration": true, + "name": "final", + "path": "flow.final", + "type": "alias" + }, + { + "migration": true, + "name": "vlan", + "path": "flow.vlan", + "type": "alias" + }, + { + "migration": true, + "name": "source.stats.net_bytes_total", + "path": "source.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "source.stats.net_packets_total", + "path": "source.packets", + "type": "alias" + }, + { + "migration": true, + "name": "dest.stats.net_bytes_total", + "path": "destination.bytes", + "type": "alias" + }, + { + "migration": true, + "name": "dest.stats.net_packets_total", + "path": "destination.packets", + "type": "alias" + } + ], + "key": "flows_event", + "title": "Flow Event" + }, + { + "description": "These fields contain data about the transaction itself.\n", + "fields": [ + { + "description": "The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.\n", + "name": "status", + "possible_values": [ + "OK", + "Error", + "Server Error", + "Client Error" + ], + "required": true + }, + { + "description": "The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).\n", + "name": "method" + }, + { + "description": "The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.\n", + "name": "resource" + }, + { + "description": "The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.\n", + "name": "path", + "required": true + }, + { + "description": "The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.\n", + "name": "query", + "type": "keyword" + }, + { + "description": "The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.\n", + "name": "params", + "type": "text" + }, + { + "description": "Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.\n", + "name": "notes", + "path": "error.message", + "type": "alias" + } + ], + "key": "trans_event", + "title": "Transaction Event" + }, + { + "description": "These fields contain the raw transaction data.", + "fields": [ + { + "description": "For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.\n", + "name": "request", + "type": "text" + }, + { + "description": "For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.\n", + "name": "response", + "type": "text" + } + ], + "key": "raw", + "title": "Raw" + }, + { + "description": "These fields contain measurements related to the transaction.\n", + "fields": [ + { + "description": "The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.\n", + "name": "bytes_in", + "path": "source.bytes", + "type": "alias" + }, + { + "description": "The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.\n", + "name": "bytes_out", + "path": "destination.bytes", + "type": "alias" + } + ], + "key": "trans_measurements", + "title": "Measurements (Transactions)" + } + ] + } + }, + "protos": { + "folders": { + "amqp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "AMQP specific event fields.", + "fields": [ + { + "fields": [ + { + "description": "AMQP reply code to an error, similar to http reply-code\n", + "example": 404, + "name": "reply-code", + "type": "long" + }, + { + "description": "Text explaining the error.\n", + "name": "reply-text", + "type": "keyword" + }, + { + "description": "Failing method class.\n", + "name": "class-id", + "type": "long" + }, + { + "description": "Failing method ID.\n", + "name": "method-id", + "type": "long" + }, + { + "description": "Name of the exchange.\n", + "name": "exchange", + "type": "keyword" + }, + { + "description": "Exchange type.\n", + "example": "fanout", + "name": "exchange-type", + "type": "keyword" + }, + { + "description": "If set, do not create exchange/queue.\n", + "name": "passive", + "type": "boolean" + }, + { + "description": "If set, request a durable exchange/queue.\n", + "name": "durable", + "type": "boolean" + }, + { + "description": "If set, request an exclusive queue.\n", + "name": "exclusive", + "type": "boolean" + }, + { + "description": "If set, auto-delete queue when unused.\n", + "name": "auto-delete", + "type": "boolean" + }, + { + "description": "If set, the server will not respond to the method.\n", + "name": "no-wait", + "type": "boolean" + }, + { + "description": "Identifier for the consumer, valid within the current channel.\n", + "name": "consumer-tag" + }, + { + "description": "The server-assigned and channel-specific delivery tag.\n", + "name": "delivery-tag", + "type": "long" + }, + { + "description": "The number of messages in the queue, which will be zero for newly-declared queues.\n", + "name": "message-count", + "type": "long" + }, + { + "description": "The number of consumers of a queue.\n", + "name": "consumer-count", + "type": "long" + }, + { + "description": "Message routing key.\n", + "name": "routing-key", + "type": "keyword" + }, + { + "description": "If set, the server does not expect acknowledgements for messages.\n", + "name": "no-ack", + "type": "boolean" + }, + { + "description": "If set, the server will not send messages to the connection that published them.\n", + "name": "no-local", + "type": "boolean" + }, + { + "description": "Delete only if unused.\n", + "name": "if-unused", + "type": "boolean" + }, + { + "description": "Delete only if empty.\n", + "name": "if-empty", + "type": "boolean" + }, + { + "description": "The queue name identifies the queue within the vhost.\n", + "name": "queue", + "type": "keyword" + }, + { + "description": "Indicates that the message has been previously delivered to this or another client.\n", + "name": "redelivered", + "type": "boolean" + }, + { + "description": "Acknowledge multiple messages.\n", + "name": "multiple", + "type": "boolean" + }, + { + "description": "Optional additional arguments passed to some methods. Can be of various types.\n", + "name": "arguments", + "type": "object" + }, + { + "description": "Indicates mandatory routing.\n", + "name": "mandatory", + "type": "boolean" + }, + { + "description": "Request immediate delivery.\n", + "name": "immediate", + "type": "boolean" + }, + { + "description": "MIME content type.\n", + "example": "text/plain", + "name": "content-type", + "type": "keyword" + }, + { + "description": "MIME content encoding.\n", + "name": "content-encoding", + "type": "keyword" + }, + { + "description": "Message header field table.\n", + "name": "headers", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Non-persistent (1) or persistent (2).\n", + "name": "delivery-mode", + "type": "keyword" + }, + { + "description": "Message priority, 0 to 9.\n", + "name": "priority", + "type": "long" + }, + { + "description": "Application correlation identifier.\n", + "name": "correlation-id", + "type": "keyword" + }, + { + "description": "Address to reply to.\n", + "name": "reply-to", + "type": "keyword" + }, + { + "description": "Message expiration specification.\n", + "name": "expiration", + "type": "keyword" + }, + { + "description": "Application message identifier.\n", + "name": "message-id", + "type": "keyword" + }, + { + "description": "Message timestamp.\n", + "name": "timestamp", + "type": "keyword" + }, + { + "description": "Message type name.\n", + "name": "type", + "type": "keyword" + }, + { + "description": "Creating user id.\n", + "name": "user-id", + "type": "keyword" + }, + { + "description": "Creating application id.\n", + "name": "app-id", + "type": "keyword" + } + ], + "name": "amqp", + "type": "group" + } + ], + "key": "amqp", + "title": "AMQP" + } + ] + } + } + } + }, + "cassandra": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Cassandra v4/3 specific event fields.", + "fields": [ + { + "migration": true, + "name": "no_request", + "path": "cassandra.no_request", + "type": "alias" + }, + { + "description": "Information about the Cassandra request and response.", + "fields": [ + { + "description": "Indicates that there is no request because this is a PUSH message.\n", + "name": "no_request", + "type": "boolean" + }, + { + "description": "Cassandra request.", + "fields": [ + { + "description": "Cassandra request headers.", + "fields": [ + { + "description": "The version of the protocol.", + "name": "version", + "type": "long" + }, + { + "description": "Flags applying to this frame.", + "name": "flags", + "type": "keyword" + }, + { + "description": "A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.", + "name": "stream", + "type": "keyword" + }, + { + "description": "An operation type that distinguishes the actual message.", + "name": "op", + "type": "keyword" + }, + { + "description": "A integer representing the length of the body of the frame (a frame is limited to 256MB in length).", + "name": "length", + "type": "long" + } + ], + "name": "headers", + "type": "group" + }, + { + "description": "The CQL query which client send to cassandra.", + "name": "query", + "type": "keyword" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "Cassandra response.", + "fields": [ + { + "description": "Cassandra response headers, the structure is as same as request's header.", + "fields": [ + { + "description": "The version of the protocol.", + "name": "version", + "type": "long" + }, + { + "description": "Flags applying to this frame.", + "name": "flags", + "type": "keyword" + }, + { + "description": "A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.", + "name": "stream", + "type": "keyword" + }, + { + "description": "An operation type that distinguishes the actual message.", + "name": "op", + "type": "keyword" + }, + { + "description": "A integer representing the length of the body of the frame (a frame is limited to 256MB in length).", + "name": "length", + "type": "long" + } + ], + "name": "headers", + "type": "group" + }, + { + "description": "Details about the returned result.", + "fields": [ + { + "description": "Cassandra result type.", + "name": "type", + "type": "keyword" + }, + { + "description": "Details about the rows.", + "fields": [ + { + "description": "Representing the number of rows present in this result.", + "name": "num_rows", + "type": "long" + }, + { + "description": "Composed of result metadata.", + "fields": [ + { + "description": "Only present after set Global_tables_spec, the keyspace name.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "Only present after set Global_tables_spec, the table name.", + "name": "table", + "type": "keyword" + }, + { + "description": "Provides information on the formatting of the remaining information.", + "name": "flags", + "type": "keyword" + }, + { + "description": "Representing the number of columns selected by the query that produced this result.", + "name": "col_count", + "type": "long" + }, + { + "description": "Representing the PK columns index and counts.", + "name": "pkey_columns", + "type": "long" + }, + { + "description": "The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.", + "name": "paging_state", + "type": "keyword" + } + ], + "name": "meta", + "type": "group" + } + ], + "name": "rows", + "type": "group" + }, + { + "description": "Indicating the name of the keyspace that has been set.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "The result to a schema_change message.", + "fields": [ + { + "description": "Representing the type of changed involved.", + "name": "change", + "type": "keyword" + }, + { + "description": "This describes which keyspace has changed.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "This describes which table has changed.", + "name": "table", + "type": "keyword" + }, + { + "description": "This describes the name of said affected object (either the table, user type, function, or aggregate name).", + "name": "object", + "type": "keyword" + }, + { + "description": "Target could be \"FUNCTION\" or \"AGGREGATE\", multiple arguments.", + "name": "target", + "type": "keyword" + }, + { + "description": "The function/aggregate name.", + "name": "name", + "type": "keyword" + }, + { + "description": "One string for each argument type (as CQL type).", + "name": "args", + "type": "keyword" + } + ], + "name": "schema_change", + "type": "group" + }, + { + "description": "The result to a PREPARE message.", + "fields": [ + { + "description": "Representing the prepared query ID.", + "name": "prepared_id", + "type": "keyword" + }, + { + "description": "This describes the request metadata.", + "fields": [ + { + "description": "Only present after set Global_tables_spec, the keyspace name.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "Only present after set Global_tables_spec, the table name.", + "name": "table", + "type": "keyword" + }, + { + "description": "Provides information on the formatting of the remaining information.", + "name": "flags", + "type": "keyword" + }, + { + "description": "Representing the number of columns selected by the query that produced this result.", + "name": "col_count", + "type": "long" + }, + { + "description": "Representing the PK columns index and counts.", + "name": "pkey_columns", + "type": "long" + }, + { + "description": "The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.", + "name": "paging_state", + "type": "keyword" + } + ], + "name": "req_meta", + "type": "group" + }, + { + "description": "This describes the metadata for the result set.", + "fields": [ + { + "description": "Only present after set Global_tables_spec, the keyspace name.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "Only present after set Global_tables_spec, the table name.", + "name": "table", + "type": "keyword" + }, + { + "description": "Provides information on the formatting of the remaining information.", + "name": "flags", + "type": "keyword" + }, + { + "description": "Representing the number of columns selected by the query that produced this result.", + "name": "col_count", + "type": "long" + }, + { + "description": "Representing the PK columns index and counts.", + "name": "pkey_columns", + "type": "long" + }, + { + "description": "The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.", + "name": "paging_state", + "type": "keyword" + } + ], + "name": "resp_meta", + "type": "group" + } + ], + "name": "prepared", + "type": "group" + } + ], + "name": "result", + "type": "group" + }, + { + "description": "Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.", + "name": "supported", + "object_type": "keyword", + "type": "object" + }, + { + "description": "Indicates that the server requires authentication, and which authentication mechanism to use.", + "fields": [ + { + "description": "Indicates the full class name of the IAuthenticator in use", + "name": "class", + "type": "keyword" + } + ], + "name": "authentication", + "type": "group" + }, + { + "description": "The text of the warnings, only occur when Warning flag was set.", + "name": "warnings", + "type": "keyword" + }, + { + "description": "Event pushed by the server. A client will only receive events for the types it has REGISTERed to.", + "fields": [ + { + "description": "Representing the event type.", + "name": "type", + "type": "keyword" + }, + { + "description": "The message corresponding respectively to the type of change followed by the address of the new/removed node.", + "name": "change", + "type": "keyword" + }, + { + "description": "Representing the node ip.", + "name": "host", + "type": "keyword" + }, + { + "description": "Representing the node port.", + "name": "port", + "type": "long" + }, + { + "description": "The events details related to schema change.", + "fields": [ + { + "description": "Representing the type of changed involved.", + "name": "change", + "type": "keyword" + }, + { + "description": "This describes which keyspace has changed.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "This describes which table has changed.", + "name": "table", + "type": "keyword" + }, + { + "description": "This describes the name of said affected object (either the table, user type, function, or aggregate name).", + "name": "object", + "type": "keyword" + }, + { + "description": "Target could be \"FUNCTION\" or \"AGGREGATE\", multiple arguments.", + "name": "target", + "type": "keyword" + }, + { + "description": "The function/aggregate name.", + "name": "name", + "type": "keyword" + }, + { + "description": "One string for each argument type (as CQL type).", + "name": "args", + "type": "keyword" + } + ], + "name": "schema_change", + "type": "group" + } + ], + "name": "event", + "type": "group" + }, + { + "description": "Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow.", + "fields": [ + { + "description": "The error code of the Cassandra response.", + "name": "code", + "type": "long" + }, + { + "description": "The error message of the Cassandra response.", + "name": "msg", + "type": "keyword" + }, + { + "description": "The error type of the Cassandra response.", + "name": "type", + "type": "keyword" + }, + { + "description": "The details of the error.", + "fields": [ + { + "description": "Representing the consistency level of the query that triggered the exception.", + "name": "read_consistency", + "type": "keyword" + }, + { + "description": "Representing the number of nodes that should be alive to respect consistency level.", + "name": "required", + "type": "long" + }, + { + "description": "Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).", + "name": "alive", + "type": "long" + }, + { + "description": "Representing the number of nodes having acknowledged the request.", + "name": "received", + "type": "long" + }, + { + "description": "Representing the number of replicas whose acknowledgement is required to achieve consistency level.", + "name": "blockfor", + "type": "long" + }, + { + "description": "Describe the type of the write that timed out.", + "name": "write_type", + "type": "keyword" + }, + { + "description": "It means the replica that was asked for data had responded.", + "name": "data_present", + "type": "boolean" + }, + { + "description": "The keyspace of the failed function.", + "name": "keyspace", + "type": "keyword" + }, + { + "description": "The keyspace of the failed function.", + "name": "table", + "type": "keyword" + }, + { + "description": "Representing the unknown ID.", + "name": "stmt_id", + "type": "keyword" + }, + { + "description": "Representing the number of nodes that experience a failure while executing the request.", + "name": "num_failures", + "type": "keyword" + }, + { + "description": "The name of the failed function.", + "name": "function", + "type": "keyword" + }, + { + "description": "One string for each argument type (as CQL type) of the failed function.", + "name": "arg_types", + "type": "keyword" + } + ], + "name": "details", + "type": "group" + } + ], + "name": "error", + "type": "group" + } + ], + "name": "response", + "type": "group" + } + ], + "name": "cassandra", + "type": "group" + } + ], + "key": "cassandra", + "title": "Cassandra" + } + ] + } + } + } + }, + "dhcpv4": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "DHCPv4 event fields", + "fields": [ + { + "fields": [ + { + "description": "Transaction ID, a random number chosen by the\nclient, used by the client and server to associate\nmessages and responses between a client and a\nserver.\n", + "name": "transaction_id", + "type": "keyword" + }, + { + "description": "Number of seconds elapsed since client began address acquisition or\nrenewal process.\n", + "name": "seconds", + "type": "long" + }, + { + "description": "Flags are set by the client to indicate how the DHCP server should\nits reply -- either unicast or broadcast.\n", + "name": "flags", + "type": "keyword" + }, + { + "description": "The current IP address of the client.", + "name": "client_ip", + "type": "ip" + }, + { + "description": "The IP address that the DHCP server is assigning to the client.\nThis field is also known as \"your\" IP address.\n", + "name": "assigned_ip", + "type": "ip" + }, + { + "description": "The IP address of the DHCP server that the client should use for the\nnext step in the bootstrap process.\n", + "name": "server_ip", + "type": "ip" + }, + { + "description": "The relay IP address used by the client to contact the server\n(i.e. a DHCP relay server).\n", + "name": "relay_ip", + "type": "ip" + }, + { + "description": "The client's MAC address (layer two).", + "name": "client_mac", + "type": "keyword" + }, + { + "description": "The name of the server sending the message. Optional. Used in\nDHCPOFFER or DHCPACK messages.\n", + "name": "server_name", + "type": "keyword" + }, + { + "description": "The message op code (bootrequest or bootreply).\n", + "example": "bootreply", + "name": "op_code", + "type": "keyword" + }, + { + "description": "The number of hops the DHCP message went through.", + "name": "hops", + "type": "long" + }, + { + "description": "The type of hardware used for the local network (Ethernet,\nLocalTalk, etc).\n", + "name": "hardware_type", + "type": "keyword" + }, + { + "fields": [ + { + "description": "The specific type of DHCP message being sent (e.g. discover,\noffer, request, decline, ack, nak, release, inform).\n", + "example": "ack", + "name": "message_type", + "type": "keyword" + }, + { + "description": "This option is used by a DHCP client to request values for\nspecified configuration parameters.\n", + "name": "parameter_request_list", + "type": "keyword" + }, + { + "description": "This option is used in a client request (DHCPDISCOVER) to allow\nthe client to request that a particular IP address be assigned.\n", + "name": "requested_ip_address", + "type": "ip" + }, + { + "description": "IP address of the individual DHCP server which handled this\nmessage.\n", + "name": "server_identifier", + "type": "ip" + }, + { + "description": "This option specifies the broadcast address in use on the\nclient's subnet.\n", + "name": "broadcast_address", + "type": "ip" + }, + { + "description": "This option specifies the maximum length DHCP message that the\nclient is willing to accept.\n", + "name": "max_dhcp_message_size", + "type": "long" + }, + { + "description": "This option is used by DHCP clients to optionally identify the\nvendor type and configuration of a DHCP client. Vendors may\nchoose to define specific vendor class identifiers to convey\nparticular configuration or other identification information\nabout a client. For example, the identifier may encode the\nclient's hardware configuration.\n", + "name": "class_identifier", + "type": "keyword" + }, + { + "description": "This option specifies the domain name that client should use\nwhen resolving hostnames via the Domain Name System.\n", + "name": "domain_name", + "type": "keyword" + }, + { + "description": "The domain name server option specifies a list of Domain Name\nSystem servers available to the client.\n", + "name": "dns_servers", + "type": "ip" + }, + { + "description": "A DHCP client may use this option to unambiguously identify the\nvendor that manufactured the hardware on which the client is\nrunning, the software in use, or an industry consortium to which\nthe vendor belongs. This field is described in RFC 3925.\n", + "name": "vendor_identifying_options", + "type": "object" + }, + { + "description": "The subnet mask that the client should use on the currnet\nnetwork.\n", + "name": "subnet_mask", + "type": "ip" + }, + { + "description": "The time offset field specifies the offset of the client's\nsubnet in seconds from Coordinated Universal Time (UTC).\n", + "name": "utc_time_offset_sec", + "type": "long" + }, + { + "description": "The router option specifies a list of IP addresses for routers\non the client's subnet.\n", + "name": "router", + "type": "ip" + }, + { + "description": "The time server option specifies a list of RFC 868 time servers\navailable to the client.\n", + "name": "time_servers", + "type": "ip" + }, + { + "description": "This option specifies a list of IP addresses indicating NTP\nservers available to the client.\n", + "name": "ntp_servers", + "type": "ip" + }, + { + "description": "This option specifies the name of the client.\n", + "name": "hostname", + "type": "keyword" + }, + { + "description": "This option is used in a client request (DHCPDISCOVER or\nDHCPREQUEST) to allow the client to request a lease time for the\nIP address. In a server reply (DHCPOFFER), a DHCP server uses\nthis option to specify the lease time it is willing to offer.\n", + "name": "ip_address_lease_time_sec", + "type": "long" + }, + { + "description": "This option is used by a DHCP server to provide an error message\nto a DHCP client in a DHCPNAK message in the event of a failure.\nA client may use this option in a DHCPDECLINE message to\nindicate the why the client declined the offered parameters.\n", + "name": "message", + "type": "text" + }, + { + "description": "This option specifies the time interval from address assignment\nuntil the client transitions to the RENEWING state.\n", + "name": "renewal_time_sec", + "type": "long" + }, + { + "description": "This option specifies the time interval from address assignment\nuntil the client transitions to the REBINDING state.\n", + "name": "rebinding_time_sec", + "type": "long" + }, + { + "description": "This option is used to identify a bootfile when the 'file' field\nin the DHCP header has been used for DHCP options.\n", + "name": "boot_file_name", + "type": "keyword" + } + ], + "name": "option", + "type": "group" + } + ], + "name": "dhcpv4", + "type": "group" + } + ], + "key": "dhcpv4", + "title": "DHCPv4" + } + ] + } + } + } + }, + "dns": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "DNS-specific event fields.", + "fields": [ + { + "fields": [ + { + "description": "A DNS flag specifying that the responding server is an authority for the domain name used in the question.\n", + "name": "flags.authoritative", + "type": "boolean" + }, + { + "description": "A DNS flag specifying whether recursive query support is available in the name server.\n", + "name": "flags.recursion_available", + "type": "boolean" + }, + { + "description": "A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.\n", + "name": "flags.recursion_desired", + "type": "boolean" + }, + { + "description": "A DNS flag specifying that the recursive server considers the response authentic.\n", + "name": "flags.authentic_data", + "type": "boolean" + }, + { + "description": "A DNS flag specifying that the client disables the server signature validation of the query.\n", + "name": "flags.checking_disabled", + "type": "boolean" + }, + { + "description": "A DNS flag specifying that only the first 512 bytes of the reply were returned.\n", + "name": "flags.truncated_response", + "type": "boolean" + }, + { + "description": "The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for \"foo.bar.golang.org.\" is \"golang.org.\". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.", + "example": "amazon.co.uk.", + "name": "question.etld_plus_one" + }, + { + "description": "The number of resource records contained in the `dns.answers` field.\n", + "name": "answers_count", + "type": "long" + }, + { + "description": "An array containing a dictionary for each authority section from the answer.\n", + "name": "authorities", + "type": "object" + }, + { + "description": "The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.\n", + "name": "authorities_count", + "type": "long" + }, + { + "description": "The domain name to which this resource record pertains.", + "example": "example.com.", + "name": "authorities.name" + }, + { + "description": "The type of data contained in this resource record.", + "example": "NS", + "name": "authorities.type" + }, + { + "description": "The class of DNS data contained in this resource record.", + "example": "IN", + "name": "authorities.class" + }, + { + "description": "An array containing a dictionary for each additional section from the answer.\n", + "name": "additionals", + "type": "object" + }, + { + "description": "The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.\n", + "name": "additionals_count", + "type": "long" + }, + { + "description": "The domain name to which this resource record pertains.", + "example": "example.com.", + "name": "additionals.name" + }, + { + "description": "The type of data contained in this resource record.", + "example": "NS", + "name": "additionals.type" + }, + { + "description": "The class of DNS data contained in this resource record.", + "example": "IN", + "name": "additionals.class" + }, + { + "description": "The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.\n", + "name": "additionals.ttl", + "type": "long" + }, + { + "description": "The data describing the resource. The meaning of this data depends on the type and class of the resource record.\n", + "name": "additionals.data" + }, + { + "description": "The EDNS version.", + "example": "0", + "name": "opt.version" + }, + { + "description": "If set, the transaction uses DNSSEC.", + "name": "opt.do", + "type": "boolean" + }, + { + "description": "Extended response code field.", + "example": "BADVERS", + "name": "opt.ext_rcode" + }, + { + "description": "Requestor's UDP payload size (in bytes).", + "name": "opt.udp_size", + "type": "long" + } + ], + "name": "dns", + "type": "group" + } + ], + "key": "dns", + "title": "DNS" + } + ] + } + } + } + }, + "http": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "HTTP-specific event fields.", + "fields": [ + { + "description": "Information about the HTTP request and response.", + "fields": [ + { + "description": "HTTP request", + "fields": [ + { + "description": "A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.\n", + "name": "headers", + "object_type": "keyword", + "type": "object" + }, + { + "migration": true, + "name": "params", + "path": "url.query", + "type": "alias" + } + ], + "name": "request", + "type": "group" + }, + { + "description": "HTTP response", + "fields": [ + { + "description": "The HTTP status phrase.", + "example": "Not Found", + "name": "status_phrase" + }, + { + "description": "A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.\n", + "name": "headers", + "object_type": "keyword", + "type": "object" + }, + { + "migration": true, + "name": "code", + "path": "http.response.status_code", + "type": "alias" + }, + { + "migration": true, + "name": "phrase", + "path": "http.response.status_phrase", + "type": "alias" + } + ], + "name": "response", + "type": "group" + } + ], + "name": "http", + "type": "group" + } + ], + "key": "http", + "title": "HTTP" + } + ] + } + } + } + }, + "icmp": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "ICMP specific event fields.\n", + "fields": [ + { + "fields": [ + { + "description": "The version of the ICMP protocol.", + "name": "version", + "possible_values": [ + 4, + 6 + ] + }, + { + "description": "A human readable form of the request.", + "name": "request.message", + "type": "keyword" + }, + { + "description": "The request type.", + "name": "request.type", + "type": "long" + }, + { + "description": "The request code.", + "name": "request.code", + "type": "long" + }, + { + "description": "A human readable form of the response.", + "name": "response.message", + "type": "keyword" + }, + { + "description": "The response type.", + "name": "response.type", + "type": "long" + }, + { + "description": "The response code.", + "name": "response.code", + "type": "long" + } + ], + "name": "icmp", + "type": "group" + } + ], + "key": "icmp", + "title": "ICMP" + } + ] + } + } + } + }, + "memcache": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Memcached-specific event fields", + "fields": [ + { + "fields": [ + { + "description": "The memcache protocol implementation. The value can be \"binary\" for binary-based, \"text\" for text-based, or \"unknown\" for an unknown memcache protocol type.\n", + "name": "protocol_type", + "type": "keyword" + }, + { + "description": "The raw command line for unknown commands ONLY.\n", + "name": "request.line", + "type": "keyword" + }, + { + "description": "The memcache command being requested in the memcache text protocol. For example \"set\" or \"get\". The binary protocol opcodes are translated into memcache text protocol commands.\n", + "name": "request.command", + "type": "keyword" + }, + { + "description": "Either the text based protocol response message type or the name of the originating request if binary protocol is used.\n", + "name": "response.command", + "type": "keyword" + }, + { + "description": "The memcache command classification. This value can be \"UNKNOWN\", \"Load\", \"Store\", \"Delete\", \"Counter\", \"Info\", \"SlabCtrl\", \"LRUCrawler\", \"Stats\", \"Success\", \"Fail\", or \"Auth\".\n", + "name": "request.type", + "type": "keyword" + }, + { + "description": "The memcache command classification. This value can be \"UNKNOWN\", \"Load\", \"Store\", \"Delete\", \"Counter\", \"Info\", \"SlabCtrl\", \"LRUCrawler\", \"Stats\", \"Success\", \"Fail\", or \"Auth\". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).\n", + "name": "response.type", + "type": "keyword" + }, + { + "description": "The optional error message in the memcache response (text based protocol only).\n", + "name": "response.error_msg", + "type": "keyword" + }, + { + "description": "The binary protocol message opcode name.\n", + "name": "request.opcode", + "type": "keyword" + }, + { + "description": "The binary protocol message opcode name.\n", + "name": "response.opcode", + "type": "keyword" + }, + { + "description": "The binary protocol message opcode value.\n", + "name": "request.opcode_value", + "type": "long" + }, + { + "description": "The binary protocol message opcode value.\n", + "name": "response.opcode_value", + "type": "long" + }, + { + "description": "The binary protocol opaque header value used for correlating request with response messages.\n", + "name": "request.opaque", + "type": "long" + }, + { + "description": "The binary protocol opaque header value used for correlating request with response messages.\n", + "name": "response.opaque", + "type": "long" + }, + { + "description": "The vbucket index sent in the binary message.\n", + "name": "request.vbucket", + "type": "long" + }, + { + "description": "The textual representation of the response error code (binary protocol only).\n", + "name": "response.status", + "type": "keyword" + }, + { + "description": "The status code value returned in the response (binary protocol only).\n", + "name": "response.status_code", + "type": "long" + }, + { + "description": "The list of keys sent in the store or load commands.\n", + "name": "request.keys", + "type": "array" + }, + { + "description": "The list of keys returned for the load command (if present).\n", + "name": "response.keys", + "type": "array" + }, + { + "description": "The number of values found in the memcache request message. If the command does not send any data, this field is missing.\n", + "name": "request.count_values", + "type": "long" + }, + { + "description": "The number of values found in the memcache response message. If the command does not send any data, this field is missing.\n", + "name": "response.count_values", + "type": "long" + }, + { + "description": "The list of base64 encoded values sent with the request (if present).\n", + "name": "request.values", + "type": "array" + }, + { + "description": "The list of base64 encoded values sent with the response (if present).\n", + "name": "response.values", + "type": "array" + }, + { + "description": "The byte count of the values being transferred.\n", + "format": "bytes", + "name": "request.bytes", + "type": "long" + }, + { + "description": "The byte count of the values being transferred.\n", + "format": "bytes", + "name": "response.bytes", + "type": "long" + }, + { + "description": "The counter increment/decrement delta value.\n", + "name": "request.delta", + "type": "long" + }, + { + "description": "The counter increment/decrement initial value parameter (binary protocol only).\n", + "name": "request.initial", + "type": "long" + }, + { + "description": "The value of the memcache \"verbosity\" command.\n", + "name": "request.verbosity", + "type": "long" + }, + { + "description": "The text protocol raw arguments for the \"stats ...\" and \"lru crawl ...\" commands.\n", + "name": "request.raw_args", + "type": "keyword" + }, + { + "description": "The source class id in 'slab reassign' command.\n", + "name": "request.source_class", + "type": "long" + }, + { + "description": "The destination class id in 'slab reassign' command.\n", + "name": "request.dest_class", + "type": "long" + }, + { + "description": "The automove mode in the 'slab automove' command expressed as a string. This value can be \"standby\"(=0), \"slow\"(=1), \"aggressive\"(=2), or the raw value if the value is unknown.\n", + "name": "request.automove", + "type": "keyword" + }, + { + "description": "The memcache command flags sent in the request (if present).\n", + "name": "request.flags", + "type": "long" + }, + { + "description": "The memcache message flags sent in the response (if present).\n", + "name": "response.flags", + "type": "long" + }, + { + "description": "The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to \"now\", or else it is an absolute Unix time in seconds (32-bit).\n", + "name": "request.exptime", + "type": "long" + }, + { + "description": "The sleep setting in microseconds for the 'lru_crawler sleep' command.\n", + "name": "request.sleep_us", + "type": "long" + }, + { + "description": "The counter value returned by a counter operation.\n", + "name": "response.value", + "type": "long" + }, + { + "description": "Set to true if noreply was set in the request. The `memcache.response` field will be missing.\n", + "name": "request.noreply", + "type": "boolean" + }, + { + "description": "Set to true if the binary protocol message is to be treated as a quiet message.\n", + "name": "request.quiet", + "type": "boolean" + }, + { + "description": "The CAS (compare-and-swap) identifier if present.\n", + "name": "request.cas_unique", + "type": "long" + }, + { + "description": "The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).\n", + "name": "response.cas_unique", + "type": "long" + }, + { + "description": "The list of statistic values returned. Each entry is a dictionary with the fields \"name\" and \"value\".\n", + "name": "response.stats", + "type": "array" + }, + { + "description": "The returned memcache version string.\n", + "name": "response.version", + "type": "keyword" + } + ], + "name": "memcache", + "type": "group" + } + ], + "key": "memcache", + "title": "Memcache" + } + ] + } + } + } + }, + "mongodb": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.\n", + "fields": [ + { + "fields": [ + { + "description": "If the MongoDB request has resulted in an error, this field contains the error message returned by the server.\n", + "name": "error" + }, + { + "description": "The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.\n", + "name": "fullCollectionName" + }, + { + "description": "Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.\n", + "name": "numberToSkip", + "type": "long" + }, + { + "description": "The requested maximum number of documents to be returned.\n", + "name": "numberToReturn", + "type": "long" + }, + { + "description": "The number of documents in the reply.\n", + "name": "numberReturned", + "type": "long" + }, + { + "description": "Where in the cursor this reply is starting.\n", + "name": "startingFrom" + }, + { + "description": "A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.\n", + "name": "query" + }, + { + "description": "A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.\n", + "name": "returnFieldsSelector" + }, + { + "description": "A BSON document that specifies the query for selecting the document to update or delete.\n", + "name": "selector" + }, + { + "description": "A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.\n", + "name": "update" + }, + { + "description": "The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.\n", + "name": "cursorId" + } + ], + "name": "mongodb", + "type": "group" + } + ], + "key": "mongodb", + "title": "MongoDb" + } + ] + } + } + } + }, + "mysql": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "MySQL-specific event fields.\n", + "fields": [ + { + "fields": [ + { + "description": "If the MySQL command is successful, this field contains the affected number of rows of the last statement.\n", + "name": "affected_rows", + "type": "long" + }, + { + "description": "If the INSERT query is successful, this field contains the id of the newly inserted row.\n", + "name": "insert_id" + }, + { + "description": "If the SELECT query is successful, this field is set to the number of fields returned.\n", + "name": "num_fields" + }, + { + "description": "If the SELECT query is successful, this field is set to the number of rows returned.\n", + "name": "num_rows" + }, + { + "description": "The row mysql query as read from the transaction's request.\n", + "name": "query" + }, + { + "description": "The error code returned by MySQL.\n", + "name": "error_code", + "type": "long" + }, + { + "description": "The error info message returned by MySQL.\n", + "name": "error_message" + } + ], + "name": "mysql", + "type": "group" + } + ], + "key": "mysql", + "title": "MySQL" + } + ] + } + } + } + }, + "nfs": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "NFS v4/3 specific event fields.", + "fields": [ + { + "fields": [ + { + "description": "NFS protocol version number.", + "name": "version", + "type": "long" + }, + { + "description": "NFS protocol minor version number.", + "name": "minor_version", + "type": "long" + }, + { + "description": "NFS v4 COMPOUND operation tag.", + "name": "tag" + }, + { + "description": "NFS operation name, or main operation name, in case of COMPOUND calls.\n", + "name": "opcode" + }, + { + "description": "NFS operation reply status.", + "name": "status" + } + ], + "name": "nfs", + "type": "group" + }, + { + "description": "ONC RPC specific event fields.", + "fields": [ + { + "description": "RPC message transaction identifier.", + "name": "xid" + }, + { + "description": "RPC message reply status.", + "name": "status" + }, + { + "description": "RPC authentication flavor.", + "name": "auth_flavor" + }, + { + "description": "RPC caller's user id, in case of auth-unix.", + "name": "cred.uid", + "type": "long" + }, + { + "description": "RPC caller's group id, in case of auth-unix.", + "name": "cred.gid", + "type": "long" + }, + { + "description": "RPC caller's secondary group ids, in case of auth-unix.", + "name": "cred.gids" + }, + { + "description": "Arbitrary ID which the caller machine may generate.", + "name": "cred.stamp", + "type": "long" + }, + { + "description": "The name of the caller's machine.", + "name": "cred.machinename" + }, + { + "description": "RPC call size with argument.", + "migration": true, + "name": "call_size", + "path": "source.bytes", + "type": "alias" + }, + { + "description": "RPC reply size with argument.", + "migration": true, + "name": "reply_size", + "path": "destination.bytes", + "type": "alias" + } + ], + "name": "rpc", + "type": "group" + } + ], + "key": "nfs", + "title": "NFS" + } + ] + } + } + } + }, + "pgsql": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "PostgreSQL-specific event fields.\n", + "fields": [ + { + "fields": [ + { + "description": "The PostgreSQL error code.", + "name": "error_code", + "type": "long" + }, + { + "description": "The PostgreSQL error message.", + "name": "error_message" + }, + { + "description": "The PostgreSQL error severity.", + "name": "error_severity", + "possible_values": [ + "ERROR", + "FATAL", + "PANIC" + ] + }, + { + "description": "If the SELECT query if successful, this field is set to the number of fields returned.\n", + "name": "num_fields" + }, + { + "description": "If the SELECT query if successful, this field is set to the number of rows returned.\n", + "name": "num_rows" + } + ], + "name": "pgsql", + "type": "group" + } + ], + "key": "pgsql", + "title": "PostgreSQL" + } + ] + } + } + } + }, + "redis": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Redis-specific event fields.\n", + "fields": [ + { + "fields": [ + { + "description": "The return value of the Redis command in a human readable format.\n", + "name": "return_value" + }, + { + "description": "If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.\n", + "name": "error" + } + ], + "name": "redis", + "type": "group" + } + ], + "key": "redis", + "title": "Redis" + } + ] + } + } + } + }, + "thrift": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Thrift-RPC specific event fields.\n", + "fields": [ + { + "fields": [ + { + "description": "The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.\n", + "name": "params" + }, + { + "description": "The name of the Thrift-RPC service as defined in the IDL files.\n", + "name": "service" + }, + { + "description": "The value returned by the Thrift-RPC call. This is encoded in a human readable format.\n", + "name": "return_value" + }, + { + "description": "If the call resulted in exceptions, this field contains the exceptions in a human readable format.\n", + "name": "exceptions" + } + ], + "name": "thrift", + "type": "group" + } + ], + "key": "thrift", + "title": "Thrift-RPC" + } + ] + } + } + } + }, + "tls": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "Detailed TLS-specific event fields.\n", + "fields": [ + { + "fields": [ + { + "fields": [ + { + "default_fields": false, + "fields": [ + { + "description": "Version of x509 format.", + "example": 3, + "name": "version", + "type": "keyword" + }, + { + "description": "Version of x509 format.", + "example": 3, + "name": "version_number", + "type": "keyword" + }, + { + "description": "Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.\n", + "example": "55FBB9C7DEBF09809D12CCAA", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of issuing certificate authority.", + "example": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA", + "name": "issuer.distinguished_name", + "type": "keyword" + }, + { + "description": "List of common name (CN) of issuing certificate authority.", + "example": "DigiCert SHA2 High Assurance Server CA", + "name": "issuer.common_name", + "type": "keyword" + }, + { + "description": "List of organizational units (OU) of issuing certificate authority.", + "example": "www.digicert.com", + "name": "issuer.organizational_unit", + "type": "keyword" + }, + { + "description": "List of organizations (O) of issuing certificate authority.", + "example": "DigiCert Inc", + "name": "issuer.organization", + "type": "keyword" + }, + { + "description": "List of locality names (L)", + "example": "Mountain View", + "name": "issuer.locality", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "issuer.province", + "type": "keyword" + }, + { + "description": "List of state or province names (ST, S, or P)", + "example": "California", + "name": "issuer.state_or_province", + "type": "keyword" + }, + { + "description": "List of country (C) codes", + "example": "US", + "name": "issuer.country", + "type": "keyword" + }, + { + "description": "Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).", + "example": "SHA256-RSA", + "name": "signature_algorithm", + "type": "keyword" + }, + { + "description": "Time at which the certificate is first considered valid.", + "example": "2019-08-16T01:40:25+00:00", + "name": "not_before", + "type": "date" + }, + { + "description": "Time at which the certificate is no longer considered valid.", + "example": "2020-07-16T03:15:39+00:00", + "name": "not_after", + "type": "date" + }, + { + "description": "Distinguished name (DN) of the certificate subject entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "subject.distinguished_name", + "type": "keyword" + }, + { + "description": "List of common names (CN) of subject.", + "example": "r2.shared.global.fastly.net", + "name": "subject.common_name", + "type": "keyword" + }, + { + "description": "List of organizational units (OU) of subject.", + "name": "subject.organizational_unit", + "type": "keyword" + }, + { + "description": "List of organizations (O) of subject.", + "example": "Fastly, Inc.", + "name": "subject.organization", + "type": "keyword" + }, + { + "description": "List of locality names (L)", + "example": "San Francisco", + "name": "subject.locality", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "subject.province", + "type": "keyword" + }, + { + "description": "List of state or province names (ST, S, or P)", + "example": "California", + "name": "subject.state_or_province", + "type": "keyword" + }, + { + "description": "List of country (C) code", + "example": "US", + "name": "subject.country", + "type": "keyword" + }, + { + "description": "Algorithm used to generate the public key.", + "example": "RSA", + "name": "public_key_algorithm", + "type": "keyword" + }, + { + "description": "The size of the public key space in bits.", + "example": 2048, + "name": "public_key_size", + "type": "long" + }, + { + "description": "List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.", + "example": "*.elastic.co", + "name": "alternative_names", + "type": "keyword" + } + ], + "name": "x509", + "type": "group" + } + ], + "name": "client", + "type": "group" + }, + { + "fields": [ + { + "default_fields": false, + "fields": [ + { + "description": "Version of x509 format.", + "example": 3, + "name": "version", + "type": "keyword" + }, + { + "description": "Version of x509 format.", + "example": 3, + "name": "version_number", + "type": "keyword" + }, + { + "description": "Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.\n", + "example": "55FBB9C7DEBF09809D12CCAA", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of issuing certificate authority.", + "example": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA", + "name": "issuer.distinguished_name", + "type": "keyword" + }, + { + "description": "List of common name (CN) of issuing certificate authority.", + "example": "DigiCert SHA2 High Assurance Server CA", + "name": "issuer.common_name", + "type": "keyword" + }, + { + "description": "List of organizational units (OU) of issuing certificate authority.", + "example": "www.digicert.com", + "name": "issuer.organizational_unit", + "type": "keyword" + }, + { + "description": "List of organizations (O) of issuing certificate authority.", + "example": "DigiCert Inc", + "name": "issuer.organization", + "type": "keyword" + }, + { + "description": "List of locality names (L)", + "example": "Mountain View", + "name": "issuer.locality", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "issuer.province", + "type": "keyword" + }, + { + "description": "List of state or province names (ST, S, or P)", + "example": "California", + "name": "issuer.state_or_province", + "type": "keyword" + }, + { + "description": "List of country (C) codes", + "example": "US", + "name": "issuer.country", + "type": "keyword" + }, + { + "description": "Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).", + "example": "SHA256-RSA", + "name": "signature_algorithm", + "type": "keyword" + }, + { + "description": "Time at which the certificate is first considered valid.", + "example": "2019-08-16T01:40:25+00:00", + "name": "not_before", + "type": "date" + }, + { + "description": "Time at which the certificate is no longer considered valid.", + "example": "2020-07-16T03:15:39+00:00", + "name": "not_after", + "type": "date" + }, + { + "description": "Distinguished name (DN) of the certificate subject entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "subject.distinguished_name", + "type": "keyword" + }, + { + "description": "List of common names (CN) of subject.", + "example": "r2.shared.global.fastly.net", + "name": "subject.common_name", + "type": "keyword" + }, + { + "description": "List of organizational units (OU) of subject.", + "name": "subject.organizational_unit", + "type": "keyword" + }, + { + "description": "List of organizations (O) of subject.", + "example": "Fastly, Inc.", + "name": "subject.organization", + "type": "keyword" + }, + { + "description": "List of locality names (L)", + "example": "San Francisco", + "name": "subject.locality", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "subject.province", + "type": "keyword" + }, + { + "description": "List of state or province names (ST, S, or P)", + "example": "California", + "name": "subject.state_or_province", + "type": "keyword" + }, + { + "description": "List of country (C) code", + "example": "US", + "name": "subject.country", + "type": "keyword" + }, + { + "description": "Algorithm used to generate the public key.", + "example": "RSA", + "name": "public_key_algorithm", + "type": "keyword" + }, + { + "description": "The size of the public key space in bits.", + "example": 2048, + "name": "public_key_size", + "type": "long" + }, + { + "description": "List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.", + "example": "*.elastic.co", + "name": "alternative_names", + "type": "keyword" + } + ], + "name": "x509", + "type": "group" + } + ], + "name": "server", + "type": "group" + }, + { + "default_fields": false, + "fields": [ + { + "description": "The version of the TLS protocol used.\n", + "example": "TLS 1.3", + "name": "version", + "type": "keyword" + }, + { + "description": "If the session has been resumed, the underlying method used. One of \"id\" for TLS session ID or \"ticket\" for TLS ticket extension.\n", + "name": "resumption_method", + "type": "keyword" + }, + { + "description": "Whether the server has requested the client to authenticate itself using a client certificate.\n", + "name": "client_certificate_requested", + "type": "boolean" + }, + { + "fields": [ + { + "description": "The version of the TLS protocol by which the client wishes to communicate during this session.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "Unique number to identify the session for the corresponding connection with the client.\n", + "name": "session_id", + "type": "keyword" + }, + { + "description": "The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml\n", + "name": "supported_compression_methods", + "type": "keyword" + }, + { + "description": "The hello extensions provided by the client.", + "fields": [ + { + "description": "List of hostnames", + "name": "server_name_indication", + "type": "keyword" + }, + { + "description": "List of application-layer protocols the client is willing to use.\n", + "name": "application_layer_protocol_negotiation", + "type": "keyword" + }, + { + "description": "Length of the session ticket, if provided, or an empty string to advertise support for tickets.\n", + "name": "session_ticket", + "type": "keyword" + }, + { + "description": "List of TLS versions that the client is willing to use.\n", + "name": "supported_versions", + "type": "keyword" + }, + { + "description": "List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.\n", + "name": "supported_groups", + "type": "keyword" + }, + { + "description": "List of signature algorithms that may be use in digital signatures.\n", + "name": "signature_algorithms", + "type": "keyword" + }, + { + "description": "List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.\n", + "name": "ec_points_formats", + "type": "keyword" + }, + { + "description": "List of extensions that were left unparsed by Packetbeat.\n", + "name": "_unparsed_", + "type": "keyword" + } + ], + "name": "extensions", + "type": "group" + } + ], + "name": "client_hello", + "type": "group" + }, + { + "fields": [ + { + "description": "The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.\n", + "name": "version", + "type": "keyword" + }, + { + "description": "The compression method selected by the server from the list provided in the client hello.\n", + "name": "selected_compression_method", + "type": "keyword" + }, + { + "description": "Unique number to identify the session for the corresponding connection with the client.\n", + "name": "session_id", + "type": "keyword" + }, + { + "description": "The hello extensions provided by the server.", + "fields": [ + { + "description": "Negotiated application layer protocol", + "name": "application_layer_protocol_negotiation", + "type": "keyword" + }, + { + "description": "Used to announce that a session ticket will be provided by the server. Always an empty string.\n", + "name": "session_ticket", + "type": "keyword" + }, + { + "description": "Negotiated TLS version to be used.\n", + "name": "supported_versions", + "type": "keyword" + }, + { + "description": "List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.\n", + "name": "ec_points_formats", + "type": "keyword" + }, + { + "description": "List of extensions that were left unparsed by Packetbeat.\n", + "name": "_unparsed_", + "type": "keyword" + } + ], + "name": "extensions", + "type": "group" + } + ], + "name": "server_hello", + "type": "group" + }, + { + "description": "Certificate provided by the client for authentication.", + "fields": [ + { + "description": "X509 format version.", + "name": "version", + "type": "long" + }, + { + "description": "Version of x509 format.", + "example": 3, + "name": "version_number", + "type": "keyword" + }, + { + "description": "The certificate's serial number.", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "Date before which the certificate is not valid.", + "name": "not_before", + "type": "date" + }, + { + "description": "Date after which the certificate expires.", + "name": "not_after", + "type": "date" + }, + { + "description": "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.\n", + "name": "public_key_algorithm", + "type": "keyword" + }, + { + "description": "Size of the public key.", + "name": "public_key_size", + "type": "long" + }, + { + "description": "The algorithm used for the certificate's signature.\n", + "name": "signature_algorithm", + "type": "keyword" + }, + { + "description": "Subject Alternative Names for this certificate.", + "name": "alternative_names", + "type": "keyword" + }, + { + "description": "Subject represented by this certificate.", + "fields": [ + { + "description": "Country code.", + "name": "country", + "type": "keyword" + }, + { + "description": "Organization name.", + "name": "organization", + "type": "keyword" + }, + { + "description": "Unit within organization.", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "province", + "type": "keyword" + }, + { + "description": "Name or host name identified by the certificate.", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality.", + "name": "locality", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of the certificate subject entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + }, + { + "description": "Entity that issued and signed this certificate.", + "fields": [ + { + "description": "Country code.", + "name": "country", + "type": "keyword" + }, + { + "description": "Organization name.", + "name": "organization", + "type": "keyword" + }, + { + "description": "Unit within organization.", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "province", + "type": "keyword" + }, + { + "description": "Name or host name identified by the certificate.", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality.", + "name": "locality", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of the certificate issuer entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + } + ], + "name": "client_certificate", + "type": "group" + }, + { + "description": "Certificate provided by the server for authentication.", + "fields": [ + { + "description": "X509 format version.", + "name": "version", + "type": "long" + }, + { + "description": "Version of x509 format.", + "example": 3, + "name": "version_number", + "type": "keyword" + }, + { + "description": "The certificate's serial number.", + "name": "serial_number", + "type": "keyword" + }, + { + "description": "Date before which the certificate is not valid.", + "name": "not_before", + "type": "date" + }, + { + "description": "Date after which the certificate expires.", + "name": "not_after", + "type": "date" + }, + { + "description": "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.\n", + "name": "public_key_algorithm", + "type": "keyword" + }, + { + "description": "Size of the public key.", + "name": "public_key_size", + "type": "long" + }, + { + "description": "The algorithm used for the certificate's signature.\n", + "name": "signature_algorithm", + "type": "keyword" + }, + { + "description": "Subject Alternative Names for this certificate.", + "name": "alternative_names", + "type": "keyword" + }, + { + "description": "Subject represented by this certificate.", + "fields": [ + { + "description": "Country code.", + "name": "country", + "type": "keyword" + }, + { + "description": "Organization name.", + "name": "organization", + "type": "keyword" + }, + { + "description": "Unit within organization.", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "province", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "state_or_province", + "type": "keyword" + }, + { + "description": "Name or host name identified by the certificate.", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality.", + "name": "locality", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of the certificate subject entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "subject", + "type": "group" + }, + { + "description": "Entity that issued and signed this certificate.", + "fields": [ + { + "description": "Country code.", + "name": "country", + "type": "keyword" + }, + { + "description": "Organization name.", + "name": "organization", + "type": "keyword" + }, + { + "description": "Unit within organization.", + "name": "organizational_unit", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "province", + "type": "keyword" + }, + { + "description": "Province or region within country.", + "name": "state_or_province", + "type": "keyword" + }, + { + "description": "Name or host name identified by the certificate.", + "name": "common_name", + "type": "keyword" + }, + { + "description": "Locality.", + "name": "locality", + "type": "keyword" + }, + { + "description": "Distinguished name (DN) of the certificate issuer entity.", + "example": "C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net", + "name": "distinguished_name", + "type": "keyword" + } + ], + "name": "issuer", + "type": "group" + } + ], + "name": "server_certificate", + "type": "group" + }, + { + "description": "Chain of trust for the server certificate.", + "name": "server_certificate_chain", + "type": "array" + }, + { + "description": "Chain of trust for the client certificate.", + "name": "client_certificate_chain", + "type": "array" + }, + { + "description": "An array containing the TLS alert type for every alert received.\n", + "name": "alert_types", + "type": "keyword" + } + ], + "name": "detailed", + "type": "group" + } + ], + "name": "tls", + "type": "group" + }, + { + "name": "tls.handshake_completed", + "path": "tls.established", + "type": "alias" + }, + { + "name": "tls.client_hello.supported_ciphers", + "path": "tls.client.supported_ciphers", + "type": "alias" + }, + { + "name": "tls.server_hello.selected_cipher", + "path": "tls.cipher", + "type": "alias" + }, + { + "name": "tls.fingerprints.ja3", + "path": "tls.client.ja3", + "type": "alias" + }, + { + "name": "tls.resumption_method", + "path": "tls.detailed.resumption_method", + "type": "alias" + }, + { + "name": "tls.client_certificate_requested", + "path": "tls.detailed.client_certificate_requested", + "type": "alias" + }, + { + "name": "tls.client_hello.version", + "path": "tls.detailed.client_hello.version", + "type": "alias" + }, + { + "name": "tls.client_hello.session_id", + "path": "tls.detailed.client_hello.session_id", + "type": "alias" + }, + { + "name": "tls.client_hello.supported_compression_methods", + "path": "tls.detailed.client_hello.supported_compression_methods", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.server_name_indication", + "path": "tls.detailed.client_hello.extensions.server_name_indication", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.application_layer_protocol_negotiation", + "path": "tls.detailed.client_hello.extensions.application_layer_protocol_negotiation", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.session_ticket", + "path": "tls.detailed.client_hello.extensions.session_ticket", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.supported_versions", + "path": "tls.detailed.client_hello.extensions.supported_versions", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.supported_groups", + "path": "tls.detailed.client_hello.extensions.supported_groups", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.signature_algorithms", + "path": "tls.detailed.client_hello.extensions.signature_algorithms", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions.ec_points_formats", + "path": "tls.detailed.client_hello.extensions.ec_points_formats", + "type": "alias" + }, + { + "name": "tls.client_hello.extensions._unparsed_", + "path": "tls.detailed.client_hello.extensions._unparsed_", + "type": "alias" + }, + { + "name": "tls.server_hello.version", + "path": "tls.detailed.server_hello.version", + "type": "alias" + }, + { + "name": "tls.server_hello.selected_compression_method", + "path": "tls.detailed.server_hello.selected_compression_method", + "type": "alias" + }, + { + "name": "tls.server_hello.session_id", + "path": "tls.detailed.server_hello.session_id", + "type": "alias" + }, + { + "name": "tls.server_hello.extensions.application_layer_protocol_negotiation", + "path": "tls.detailed.server_hello.extensions.application_layer_protocol_negotiation", + "type": "alias" + }, + { + "name": "tls.server_hello.extensions.session_ticket", + "path": "tls.detailed.server_hello.extensions.session_ticket", + "type": "alias" + }, + { + "name": "tls.server_hello.extensions.supported_versions", + "path": "tls.detailed.server_hello.extensions.supported_versions", + "type": "alias" + }, + { + "name": "tls.server_hello.extensions.ec_points_formats", + "path": "tls.detailed.server_hello.extensions.ec_points_formats", + "type": "alias" + }, + { + "name": "tls.server_hello.extensions._unparsed_", + "path": "tls.detailed.server_hello.extensions._unparsed_", + "type": "alias" + }, + { + "name": "tls.client_certificate.version", + "path": "tls.detailed.client_certificate.version", + "type": "alias" + }, + { + "name": "tls.client_certificate.serial_number", + "path": "tls.detailed.client_certificate.serial_number", + "type": "alias" + }, + { + "name": "tls.client_certificate.not_before", + "path": "tls.detailed.client_certificate.not_before", + "type": "alias" + }, + { + "name": "tls.client_certificate.not_after", + "path": "tls.detailed.client_certificate.not_after", + "type": "alias" + }, + { + "name": "tls.client_certificate.public_key_algorithm", + "path": "tls.detailed.client_certificate.public_key_algorithm", + "type": "alias" + }, + { + "name": "tls.client_certificate.public_key_size", + "path": "tls.detailed.client_certificate.public_key_size", + "type": "alias" + }, + { + "name": "tls.client_certificate.signature_algorithm", + "path": "tls.detailed.client_certificate.signature_algorithm", + "type": "alias" + }, + { + "name": "tls.client_certificate.alternative_names", + "path": "tls.detailed.client_certificate.alternative_names", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.country", + "path": "tls.detailed.client_certificate.subject.country", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.organization", + "path": "tls.detailed.client_certificate.subject.organization", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.organizational_unit", + "path": "tls.detailed.client_certificate.subject.organizational_unit", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.province", + "path": "tls.detailed.client_certificate.subject.province", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.common_name", + "path": "tls.detailed.client_certificate.subject.common_name", + "type": "alias" + }, + { + "name": "tls.client_certificate.subject.locality", + "path": "tls.detailed.client_certificate.subject.locality", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.country", + "path": "tls.detailed.client_certificate.issuer.country", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.organization", + "path": "tls.detailed.client_certificate.issuer.organization", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.organizational_unit", + "path": "tls.detailed.client_certificate.issuer.organizational_unit", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.province", + "path": "tls.detailed.client_certificate.issuer.province", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.common_name", + "path": "tls.detailed.client_certificate.issuer.common_name", + "type": "alias" + }, + { + "name": "tls.client_certificate.issuer.locality", + "path": "tls.detailed.client_certificate.issuer.locality", + "type": "alias" + }, + { + "name": "tls.server_certificate.version", + "path": "tls.detailed.server_certificate.version", + "type": "alias" + }, + { + "name": "tls.server_certificate.serial_number", + "path": "tls.detailed.server_certificate.serial_number", + "type": "alias" + }, + { + "name": "tls.server_certificate.not_before", + "path": "tls.detailed.server_certificate.not_before", + "type": "alias" + }, + { + "name": "tls.server_certificate.not_after", + "path": "tls.detailed.server_certificate.not_after", + "type": "alias" + }, + { + "name": "tls.server_certificate.public_key_algorithm", + "path": "tls.detailed.server_certificate.public_key_algorithm", + "type": "alias" + }, + { + "name": "tls.server_certificate.public_key_size", + "path": "tls.detailed.server_certificate.public_key_size", + "type": "alias" + }, + { + "name": "tls.server_certificate.signature_algorithm", + "path": "tls.detailed.server_certificate.signature_algorithm", + "type": "alias" + }, + { + "name": "tls.server_certificate.alternative_names", + "path": "tls.detailed.server_certificate.alternative_names", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.country", + "path": "tls.detailed.server_certificate.subject.country", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.organization", + "path": "tls.detailed.server_certificate.subject.organization", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.organizational_unit", + "path": "tls.detailed.server_certificate.subject.organizational_unit", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.province", + "path": "tls.detailed.server_certificate.subject.province", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.common_name", + "path": "tls.detailed.server_certificate.subject.common_name", + "type": "alias" + }, + { + "name": "tls.server_certificate.subject.locality", + "path": "tls.detailed.server_certificate.subject.locality", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.country", + "path": "tls.detailed.server_certificate.issuer.country", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.organization", + "path": "tls.detailed.server_certificate.issuer.organization", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.organizational_unit", + "path": "tls.detailed.server_certificate.issuer.organizational_unit", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.province", + "path": "tls.detailed.server_certificate.issuer.province", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.common_name", + "path": "tls.detailed.server_certificate.issuer.common_name", + "type": "alias" + }, + { + "name": "tls.server_certificate.issuer.locality", + "path": "tls.detailed.server_certificate.issuer.locality", + "type": "alias" + }, + { + "name": "tls.alert_types", + "path": "tls.detailed.alert_types", + "type": "alias" + } + ], + "key": "tls_detailed", + "title": "Detailed TLS" + } + ] + } + } + } + } + } + } + } + }, + "winlogbeat": { + "folders": { + "_meta": { + "files": { + "fields.common.yml": [ + { + "description": "Fields from the Windows Event Log.\n", + "fields": [ + { + "description": "The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file.\n", + "name": "log.file.path", + "required": false, + "type": "keyword" + }, + { + "description": "The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log.\nThe XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.\n", + "name": "event.original", + "overwrite": true + }, + { + "description": "All fields specific to the Windows Event Log are defined here.\n", + "fields": [ + { + "description": "The event log API type used to read the record. The possible values are \"wineventlog\" for the Windows Event Log API or \"eventlogging\" for the Event Logging API.\nThe Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.\n", + "name": "api", + "required": true + }, + { + "description": "A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.\n", + "name": "activity_id", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.\n", + "name": "computer_name", + "required": true, + "type": "keyword" + }, + { + "description": "The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.\n", + "name": "event_data", + "object_type": "keyword", + "required": false, + "type": "object" + }, + { + "description": "This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.\n", + "fields": [ + { + "name": "AuthenticationPackageName", + "type": "keyword" + }, + { + "name": "Binary", + "type": "keyword" + }, + { + "name": "BitlockerUserInputTime", + "type": "keyword" + }, + { + "name": "BootMode", + "type": "keyword" + }, + { + "name": "BootType", + "type": "keyword" + }, + { + "name": "BuildVersion", + "type": "keyword" + }, + { + "name": "Company", + "type": "keyword" + }, + { + "name": "CorruptionActionState", + "type": "keyword" + }, + { + "name": "CreationUtcTime", + "type": "keyword" + }, + { + "name": "Description", + "type": "keyword" + }, + { + "name": "Detail", + "type": "keyword" + }, + { + "name": "DeviceName", + "type": "keyword" + }, + { + "name": "DeviceNameLength", + "type": "keyword" + }, + { + "name": "DeviceTime", + "type": "keyword" + }, + { + "name": "DeviceVersionMajor", + "type": "keyword" + }, + { + "name": "DeviceVersionMinor", + "type": "keyword" + }, + { + "name": "DriveName", + "type": "keyword" + }, + { + "name": "DriverName", + "type": "keyword" + }, + { + "name": "DriverNameLength", + "type": "keyword" + }, + { + "name": "DwordVal", + "type": "keyword" + }, + { + "name": "EntryCount", + "type": "keyword" + }, + { + "name": "ExtraInfo", + "type": "keyword" + }, + { + "name": "FailureName", + "type": "keyword" + }, + { + "name": "FailureNameLength", + "type": "keyword" + }, + { + "name": "FileVersion", + "type": "keyword" + }, + { + "name": "FinalStatus", + "type": "keyword" + }, + { + "name": "Group", + "type": "keyword" + }, + { + "name": "IdleImplementation", + "type": "keyword" + }, + { + "name": "IdleStateCount", + "type": "keyword" + }, + { + "name": "ImpersonationLevel", + "type": "keyword" + }, + { + "name": "IntegrityLevel", + "type": "keyword" + }, + { + "name": "IpAddress", + "type": "keyword" + }, + { + "name": "IpPort", + "type": "keyword" + }, + { + "name": "KeyLength", + "type": "keyword" + }, + { + "name": "LastBootGood", + "type": "keyword" + }, + { + "name": "LastShutdownGood", + "type": "keyword" + }, + { + "name": "LmPackageName", + "type": "keyword" + }, + { + "name": "LogonGuid", + "type": "keyword" + }, + { + "name": "LogonId", + "type": "keyword" + }, + { + "name": "LogonProcessName", + "type": "keyword" + }, + { + "name": "LogonType", + "type": "keyword" + }, + { + "name": "MajorVersion", + "type": "keyword" + }, + { + "name": "MaximumPerformancePercent", + "type": "keyword" + }, + { + "name": "MemberName", + "type": "keyword" + }, + { + "name": "MemberSid", + "type": "keyword" + }, + { + "name": "MinimumPerformancePercent", + "type": "keyword" + }, + { + "name": "MinimumThrottlePercent", + "type": "keyword" + }, + { + "name": "MinorVersion", + "type": "keyword" + }, + { + "name": "NewProcessId", + "type": "keyword" + }, + { + "name": "NewProcessName", + "type": "keyword" + }, + { + "name": "NewSchemeGuid", + "type": "keyword" + }, + { + "name": "NewTime", + "type": "keyword" + }, + { + "name": "NominalFrequency", + "type": "keyword" + }, + { + "name": "Number", + "type": "keyword" + }, + { + "name": "OldSchemeGuid", + "type": "keyword" + }, + { + "name": "OldTime", + "type": "keyword" + }, + { + "name": "OriginalFileName", + "type": "keyword" + }, + { + "name": "Path", + "type": "keyword" + }, + { + "name": "PerformanceImplementation", + "type": "keyword" + }, + { + "name": "PreviousCreationUtcTime", + "type": "keyword" + }, + { + "name": "PreviousTime", + "type": "keyword" + }, + { + "name": "PrivilegeList", + "type": "keyword" + }, + { + "name": "ProcessId", + "type": "keyword" + }, + { + "name": "ProcessName", + "type": "keyword" + }, + { + "name": "ProcessPath", + "type": "keyword" + }, + { + "name": "ProcessPid", + "type": "keyword" + }, + { + "name": "Product", + "type": "keyword" + }, + { + "name": "PuaCount", + "type": "keyword" + }, + { + "name": "PuaPolicyId", + "type": "keyword" + }, + { + "name": "QfeVersion", + "type": "keyword" + }, + { + "name": "Reason", + "type": "keyword" + }, + { + "name": "SchemaVersion", + "type": "keyword" + }, + { + "name": "ScriptBlockText", + "type": "keyword" + }, + { + "name": "ServiceName", + "type": "keyword" + }, + { + "name": "ServiceVersion", + "type": "keyword" + }, + { + "name": "ShutdownActionType", + "type": "keyword" + }, + { + "name": "ShutdownEventCode", + "type": "keyword" + }, + { + "name": "ShutdownReason", + "type": "keyword" + }, + { + "name": "Signature", + "type": "keyword" + }, + { + "name": "SignatureStatus", + "type": "keyword" + }, + { + "name": "Signed", + "type": "keyword" + }, + { + "name": "StartTime", + "type": "keyword" + }, + { + "name": "State", + "type": "keyword" + }, + { + "name": "Status", + "type": "keyword" + }, + { + "name": "StopTime", + "type": "keyword" + }, + { + "name": "SubjectDomainName", + "type": "keyword" + }, + { + "name": "SubjectLogonId", + "type": "keyword" + }, + { + "name": "SubjectUserName", + "type": "keyword" + }, + { + "name": "SubjectUserSid", + "type": "keyword" + }, + { + "name": "TSId", + "type": "keyword" + }, + { + "name": "TargetDomainName", + "type": "keyword" + }, + { + "name": "TargetInfo", + "type": "keyword" + }, + { + "name": "TargetLogonGuid", + "type": "keyword" + }, + { + "name": "TargetLogonId", + "type": "keyword" + }, + { + "name": "TargetServerName", + "type": "keyword" + }, + { + "name": "TargetUserName", + "type": "keyword" + }, + { + "name": "TargetUserSid", + "type": "keyword" + }, + { + "name": "TerminalSessionId", + "type": "keyword" + }, + { + "name": "TokenElevationType", + "type": "keyword" + }, + { + "name": "TransmittedServices", + "type": "keyword" + }, + { + "name": "UserSid", + "type": "keyword" + }, + { + "name": "Version", + "type": "keyword" + }, + { + "name": "Workstation", + "type": "keyword" + }, + { + "name": "param1", + "type": "keyword" + }, + { + "name": "param2", + "type": "keyword" + }, + { + "name": "param3", + "type": "keyword" + }, + { + "name": "param4", + "type": "keyword" + }, + { + "name": "param5", + "type": "keyword" + }, + { + "name": "param6", + "type": "keyword" + }, + { + "name": "param7", + "type": "keyword" + }, + { + "name": "param8", + "type": "keyword" + } + ], + "name": "event_data", + "type": "group" + }, + { + "description": "The event identifier. The value is specific to the source of the event.\n", + "name": "event_id", + "required": true, + "type": "keyword" + }, + { + "description": "The keywords are used to classify an event.\n", + "name": "keywords", + "required": false, + "type": "keyword" + }, + { + "description": "The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.\n", + "name": "channel", + "required": true, + "type": "keyword" + }, + { + "description": "The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.\n", + "name": "record_id", + "required": true, + "type": "keyword" + }, + { + "description": "A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.\n", + "name": "related_activity_id", + "required": false, + "type": "keyword" + }, + { + "description": "The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.\n", + "name": "opcode", + "required": false, + "type": "keyword" + }, + { + "description": "A globally unique identifier that identifies the provider that logged the event.\n", + "name": "provider_guid", + "required": false, + "type": "keyword" + }, + { + "description": "The process_id of the Client Server Runtime Process.\n", + "name": "process.pid", + "required": false, + "type": "long" + }, + { + "description": "The source of the event log record (the application or service that logged the record).\n", + "name": "provider_name", + "required": true, + "type": "keyword" + }, + { + "description": "The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.\n", + "name": "task", + "required": false, + "type": "keyword" + }, + { + "name": "process.thread.id", + "required": false, + "type": "long" + }, + { + "description": "The event specific data. This field is mutually exclusive with `event_data`.\n", + "name": "user_data", + "object_type": "keyword", + "required": false, + "type": "object" + }, + { + "description": "The Windows security identifier (SID) of the account associated with this event.\nIf Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.\n", + "example": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "user.identifier", + "required": false, + "type": "keyword" + }, + { + "description": "Name of the user associated with this event.\n", + "name": "user.name", + "type": "keyword" + }, + { + "description": "The domain that the account associated with this event is a member of.\n", + "name": "user.domain", + "required": false, + "type": "keyword" + }, + { + "description": "The type of account associated with this event.\n", + "name": "user.type", + "required": false, + "type": "keyword" + }, + { + "description": "The version number of the event's definition.", + "name": "version", + "required": false, + "type": "long" + } + ], + "name": "winlog", + "type": "group" + } + ], + "key": "winlog", + "title": "Winlogbeat" + }, + { + "description": "Field aliases based on Winlogbeat 6.x that point to the fields for this version of Winlogbeat. These are added to the index template when `migration.6_to_7.enable: true` is set in the configuration.\n", + "fields": [ + { + "migration": true, + "name": "type", + "path": "winlog.api", + "type": "alias" + }, + { + "migration": true, + "name": "activity_id", + "path": "winlog.activity_id", + "type": "alias" + }, + { + "migration": true, + "name": "computer_name", + "path": "winlog.computer_name", + "type": "alias" + }, + { + "migration": true, + "name": "event_id", + "path": "winlog.event_id", + "type": "alias" + }, + { + "migration": true, + "name": "keywords", + "path": "winlog.keywords", + "type": "alias" + }, + { + "migration": true, + "name": "log_name", + "path": "winlog.channel", + "type": "alias" + }, + { + "migration": true, + "name": "message_error", + "path": "error.message", + "type": "alias" + }, + { + "migration": true, + "name": "record_number", + "path": "winlog.record_id", + "type": "alias" + }, + { + "migration": true, + "name": "related_activity_id", + "path": "winlog.related_activity_id", + "type": "alias" + }, + { + "migration": true, + "name": "opcode", + "path": "winlog.opcode", + "type": "alias" + }, + { + "migration": true, + "name": "provider_guid", + "path": "winlog.provider_guid", + "type": "alias" + }, + { + "migration": true, + "name": "process_id", + "path": "winlog.process.pid", + "type": "alias" + }, + { + "migration": true, + "name": "source_name", + "path": "winlog.provider_name", + "type": "alias" + }, + { + "migration": true, + "name": "task", + "path": "winlog.task", + "type": "alias" + }, + { + "migration": true, + "name": "thread_id", + "path": "winlog.process.thread.id", + "type": "alias" + }, + { + "migration": true, + "name": "user.identifier", + "path": "winlog.user.identifier", + "type": "alias" + }, + { + "migration": true, + "name": "user.type", + "path": "winlog.user.type", + "type": "alias" + }, + { + "migration": true, + "name": "version", + "path": "winlog.version", + "type": "alias" + }, + { + "migration": true, + "name": "xml", + "path": "event.original", + "type": "alias" + } + ], + "key": "eventlog", + "title": "Legacy Winlogbeat alias" + } + ] + } + }, + "module": { + "folders": { + "powershell": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.\n", + "fields": [ + { + "description": "Shell Id.", + "example": "Microsoft Powershell", + "name": "powershell.id", + "type": "keyword" + }, + { + "description": "Pipeline id.", + "example": "1", + "name": "powershell.pipeline_id", + "type": "keyword" + }, + { + "description": "Runspace id.", + "example": "4fa9074d-45ab-4e53-9195-e91981ac2bbb", + "name": "powershell.runspace_id", + "type": "keyword" + }, + { + "description": "Sequence number of the powershell execution.", + "example": 1, + "name": "powershell.sequence", + "type": "long" + }, + { + "description": "Total number of messages in the sequence.", + "example": 10, + "name": "powershell.total", + "type": "long" + }, + { + "description": "Data related to the executed command.", + "fields": [ + { + "description": "Path of the executed command.", + "example": "C:\\Windows\\system32\\cmd.exe", + "name": "path", + "type": "keyword" + }, + { + "description": "Name of the executed command.", + "example": "cmd.exe", + "name": "name", + "type": "keyword" + }, + { + "description": "Type of the executed command.", + "example": "Application", + "name": "type", + "type": "keyword" + }, + { + "description": "The invoked command.", + "example": "Import-LocalizedData LocalizedData -filename ArchiveResources", + "name": "value", + "type": "text" + }, + { + "description": "An array of objects containing detailed information of the executed command.\n", + "name": "invocation_details", + "type": "array" + }, + { + "description": "The type of detail.", + "example": "CommandInvocation", + "name": "invocation_details.type", + "type": "keyword" + }, + { + "description": "The command to which the detail is related to.", + "example": "Add-Type", + "name": "invocation_details.related_command", + "type": "keyword" + }, + { + "description": "Only used for ParameterBinding detail type. Indicates the parameter name.\n", + "example": "AssemblyName", + "name": "invocation_details.name", + "type": "keyword" + }, + { + "description": "The value of the detail. The meaning of it will depend on the detail type.\n", + "example": "System.IO.Compression.FileSystem", + "name": "invocation_details.value", + "type": "text" + } + ], + "name": "powershell.command", + "type": "group" + }, + { + "description": "Data related to the connected user executing the command.", + "fields": [ + { + "description": "User domain.", + "example": "VAGRANT", + "name": "domain", + "type": "keyword" + }, + { + "description": "User name.", + "example": "vagrant", + "name": "name", + "type": "keyword" + } + ], + "name": "powershell.connected_user", + "type": "group" + }, + { + "description": "Data related to the PowerShell engine.", + "fields": [ + { + "description": "Version of the PowerShell engine version used to execute the command.", + "example": "5.1.17763.1007", + "name": "version", + "type": "keyword" + }, + { + "description": "Previous state of the PowerShell engine.\n", + "example": "Available", + "name": "previous_state", + "type": "keyword" + }, + { + "description": "New state of the PowerShell engine.\n", + "example": "Stopped", + "name": "new_state", + "type": "keyword" + } + ], + "name": "powershell.engine", + "type": "group" + }, + { + "description": "Data related to the executed script file.", + "fields": [ + { + "description": "Id of the executed script block.", + "example": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "name": "script_block_id", + "type": "keyword" + }, + { + "description": "Text of the executed script block.\n", + "example": ".\\a_script.ps1", + "name": "script_block_text", + "type": "text" + } + ], + "name": "powershell.file", + "type": "group" + }, + { + "description": "Version of the engine hosting process executable.", + "example": "5.1.17763.1007", + "name": "powershell.process.executable_version", + "type": "keyword" + }, + { + "description": "Data related to the PowerShell engine host.", + "fields": [ + { + "description": "New state of the PowerShell provider.\n", + "example": "Active", + "name": "new_state", + "type": "keyword" + }, + { + "description": "Provider name.\n", + "example": "Variable", + "name": "name", + "type": "keyword" + } + ], + "name": "powershell.provider", + "type": "group" + } + ], + "key": "powershell", + "release": "beta", + "title": "PowerShell module" + } + ] + } + } + } + }, + "security": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the event fields specific to the module for the Security log.\n", + "fields": [ + { + "description": "Data related to a Windows logon.", + "fields": [ + { + "description": "Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.\n", + "example": "RemoteInteractive", + "name": "type", + "type": "keyword" + }, + { + "description": "Logon ID that can be used to associate this logon with other events related to the same logon session.\n", + "name": "id", + "type": "keyword" + }, + { + "description": "The reason the logon failed.\n", + "name": "failure.reason", + "type": "keyword" + }, + { + "description": "The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field.\n", + "name": "failure.status", + "type": "keyword" + }, + { + "description": "Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field.\n", + "name": "failure.sub_status", + "type": "keyword" + } + ], + "name": "winlog.logon", + "type": "group" + } + ], + "key": "security", + "release": "beta", + "title": "Security module" + } + ] + } + } + } + }, + "sysmon": { + "folders": { + "_meta": { + "files": { + "fields.yml": [ + { + "description": "These are the event fields specific to the Sysmon module.\n", + "fields": [ + { + "description": "Windows status code returned for the DNS query.", + "name": "sysmon.dns.status", + "type": "keyword" + }, + { + "description": "Indicates if the deleted file was archived.", + "name": "sysmon.file.archived", + "type": "boolean" + }, + { + "description": "Indicates if the deleted file was an executable.", + "name": "sysmon.file.is_executable", + "type": "boolean" + } + ], + "key": "sysmon", + "release": "beta", + "title": "Sysmon module" + } + ] + } + } + } + } + } + } + } + } +} \ No newline at end of file