ECS fields used in Filebeat for the apache module.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| id | Unique id to describe the event. | (use case) | keyword | 8a4f500d |
| @timestamp | Timestamp of the log line after processing. | core | date | 2016-05-23T08:05:34.853Z |
| message | Log message of the event | core | text | Hello World |
| event.module | Currently fileset.module | core | keyword | apache |
| event.dataset | Currenly fileset.name | core | keyword | access |
| source.ip | Source ip of the request. Currently apache.access.remote_ip | core | ip | 192.168.1.1 |
| user.name | User name in the request. Currently apache.access.user_name | core | keyword | ruflin |
| http.method | Http method, currently apache.access.method | (use case) | keyword | GET |
| http.url | Http url, currently apache.access.url | (use case) | keyword | http://elastic.co/ |
| http.version | Http version, currently apache.access.http_version | extended | keyword | 1.1 |
| http.response.code | Http response code, currently apache.access.response_code | (use case) | keyword | 404 |
| http.response.body_sent.bytes | Http response body bytes sent, currently apache.access.body_sent.bytes | (use case) | long | 117 |
| http.referer | Http referrer code, currently apache.access.referrer NOTE: In the RFC its misspell as referer and has become accepted standard |
(use case) | keyword | http://elastic.co/ |
| user_agent.* | User agent fields as in schema. Currently under apache.access.user_agent. * |
|||
| user_agent.original | Original user agent. Currently apache.access.agent | extended | keyword | http://elastic.co/ |
| geoip.* | User agent fields as in schema. Currently under apache.access.geoip. These are extracted from source.ip Should they be under source.geoip? * |
|||
| geoip.... | All geoip fields. | (use case) | keyword |