The logging data model defines the fields that may be present in a log record. When log records are formatted as JSON objects, dotted names indicate nested fields.
All fields are optional unless noted otherwise. |
message
Original log entry text, UTF-8 encoded
This field may be absent or empty if a non-empty structured
field is present.
See the description of structured
for more.
Data type |
text |
Example value |
|
structured
Original log entry as a structured object.
This field may be present if the forwarder was configured to parse structured JSON logs.
If the original log entry was a valid structured log, this field will contain an equivalent JSON structure.
Otherwise this field will be empty or absent, and the message
field will contain the original log message.
The structured
field includes the same sub-fields as the original log message.
Data type |
group |
Example value |
map[message:starting fluentd worker pid=21631 ppid=21618 worker=0 pid:21631 ppid:21618 worker:0] |
log_type
The type of log, a string that begins with "application", "infrastructure" or "audit".
- "application"
-
Container logs generated by user applications running in the cluster, except infrastructure containers.
- "infrastructure"
-
Node logs (such as syslog or journal logs), and container logs from pods in the openshift*, kube*, or default projects.
- "audit"
-
Node logs from auditd (/var/log/audit/audit.log), and audit logs from the Kubernetes and OpenShift apiservers.
The log_type
field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node".
Data type |
text |
Example value |
application |
@timestamp
A UTC value that marks when the log payload was created or, if the creation time is not known, when the log payload was first collected. The “@” prefix denotes a field that is reserved for a particular use. By default, most tools look for “@timestamp” with ElasticSearch.
Data type |
date |
Example value |
|
hostname
The name of the host where this log message originated. In a Kubernetes cluster, this is the same as kubernetes.host
.
Data type |
keyword |
ipaddr4
The IPv4 address of the source server. Can be an array.
Data type |
ip |
ipaddr6
The IPv6 address of the source server, if available. Can be an array.
Data type |
ip |
level
The logging level from various sources, including rsyslog(severitytext property)
, python’s logging module, and others.
The following values come from syslog.h
, and are preceded by their numeric equivalents:
-
0
=emerg
, system is unusable. -
1
=alert
, action must be taken immediately. -
2
=crit
, critical conditions. -
3
=err
, error conditions. -
4
=warn
, warning conditions. -
5
=notice
, normal but significant condition. -
6
=info
, informational. -
7
=debug
, debug-level messages.
The two following values are not part of syslog.h
but are widely used:
-
8
=trace
, trace-level messages, which are more verbose thandebug
messages. -
9
=unknown
, when the logging system gets a value it doesn’t recognize.
Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from python logging, you can match CRITICAL
with crit
, ERROR
with err
, and so on.
Data type |
keyword |
Example value |
|
pid
The process ID of the logging entity, if available.
Data type |
keyword |
service
The name of the service associated with the logging entity, if available. For example, syslog’s APP-NAME
and rsyslog’s programname
properties are mapped to the service field.
Data type |
keyword |
tags
Optional. An operator-defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens or a JSON list of string tokens.
Data type |
text |
file
The path to the log file from which the collector read this log entry. Normally, this is a path in the /var/log
file system of a cluster node.
Data type |
text |
offset
The offset value. Can represent bytes to the start of the log line in the file (zero- or one-based), or log line numbers (zero- or one-based), so long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation).
Data type |
long |
kubernetes
The namespace for Kubernetes-specific metadata
Data type |
group |
kubernetes.pod_name
The name of the pod
Data type |
keyword |
kubernetes.pod_id
The Kubernetes ID of the pod
Data type |
keyword |
kubernetes.namespace_name
The name of the namespace in Kubernetes
Data type |
keyword |
kubernetes.namespace_id
The ID of the namespace in Kubernetes
Data type |
keyword |
kubernetes.host
The Kubernetes node name
Data type |
keyword |
kubernetes.container_name
The name of the container in Kubernetes
Data type |
keyword |
kubernetes.annotations
Annotations associated with the Kubernetes object
Data type |
group |
kubernetes.labels
Labels present on the original Kubernetes Pod
Data type |
group |
kubernetes.event
The Kubernetes event obtained from the Kubernetes master API. This event description loosely follows type Event
in Event v1 core.
Data type |
group |
kubernetes.event.verb
The type of event, ADDED
, MODIFIED
, or DELETED
Data type |
keyword |
Example value |
|
kubernetes.event.metadata
Information related to the location and time of the event creation
Data type |
group |
kubernetes.event.metadata.name
The name of the object that triggered the event creation
Data type |
keyword |
Example value |
|
kubernetes.event.metadata.namespace
The name of the namespace where the event originally occurred. Note that it differs from kubernetes.namespace_name
, which is the namespace where the eventrouter
application is deployed.
Data type |
keyword |
Example value |
|
kubernetes.event.metadata.selfLink
A link to the event
Data type |
keyword |
Example value |
|
kubernetes.event.metadata.uid
The unique ID of the event
Data type |
keyword |
Example value |
|
kubernetes.event.metadata.resourceVersion
A string that identifies the server’s internal version of the event. Clients can use this string to determine when objects have changed.
Data type |
integer |
Example value |
|
kubernetes.event.involvedObject
The object that the event is about.
Data type |
group |
kubernetes.event.involvedObject.kind
The type of object
Data type |
keyword |
Example value |
|
kubernetes.event.involvedObject.namespace
The namespace name of the involved object. Note that it may differ from kubernetes.namespace_name
, which is the namespace where the eventrouter
application is deployed.
Data type |
keyword |
Example value |
|
kubernetes.event.involvedObject.name
The name of the object that triggered the event
Data type |
keyword |
Example value |
|
kubernetes.event.involvedObject.uid
The unique ID of the object
Data type |
keyword |
Example value |
|
kubernetes.event.involvedObject.apiVersion
The version of kubernetes master API
Data type |
keyword |
Example value |
|
kubernetes.event.involvedObject.resourceVersion
A string that identifies the server’s internal version of the pod that triggered the event. Clients can use this string to determine when objects have changed.
Data type |
keyword |
Example value |
|
kubernetes.event.reason
A short machine-understandable string that gives the reason for generating this event
Data type |
keyword |
Example value |
|
kubernetes.event.source_component
The component that reported this event
Data type |
keyword |
Example value |
|
kubernetes.event.firstTimestamp
The time at which the event was first recorded
Data type |
date |
Example value |
|
kubernetes.event.count
The number of times this event has occurred
Data type |
integer |
Example value |
|
kubernetes.event.type
The type of event, Normal
or Warning
. New types could be added in the future.
Data type |
keyword |
Example value |
|
openshift
The namespace for openshift-logging specific metadata
Data type |
group |
openshift.labels
Labels added by the Cluster Log Forwarder configuration
Data type |
group |
systemd
Contains common fields specific to systemd journal. For more information please see https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html Applications may write their own fields to the journal. These will be available under the systemd.u
namespace. RESULT
and UNIT
are two such fields.
Data type |
group |
systemd.k
systemd’s kernel-specific metadata.
Data type |
group |
systemd.k.KERNEL_DEVICE
Data type |
keyword |
systemd.k.KERNEL_SUBSYSTEM
Data type |
keyword |
systemd.k.UDEV_DEVLINK
Data type |
keyword |
systemd.k.UDEV_DEVNODE
Data type |
keyword |
systemd.k.UDEV_SYSNAME
Data type |
keyword |
systemd.t
trusted journal fields, fields that are implicitly added by the journal and cannot be altered by client code.
Data type |
group |
systemd.t.AUDIT_LOGINUID
Data type |
keyword |
systemd.t.BOOT_ID
Data type |
keyword |
systemd.t.AUDIT_SESSION
Data type |
keyword |
systemd.t.CAP_EFFECTIVE
Data type |
keyword |
systemd.t.CMDLINE
Data type |
keyword |
systemd.t.COMM
Data type |
keyword |
systemd.t.EXE
Data type |
keyword |
systemd.t.GID
Data type |
keyword |
systemd.t.HOSTNAME
Data type |
keyword |
systemd.t.LINE_BREAK
Data type |
keyword |
systemd.t.MACHINE_ID
Data type |
keyword |
systemd.t.PID
Data type |
keyword |
systemd.t.SELINUX_CONTEXT
Data type |
keyword |
systemd.t.SOURCE_REALTIME_TIMESTAMP
https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#_SOURCE_REALTIME_TIMESTAMP= This is converted to RFC 3339 NS format
Data type |
keyword |
systemd.t.STREAM_ID
Data type |
keyword |
systemd.t.SYSTEMD_CGROUP
Data type |
keyword |
systemd.t.SYSTEMD_INVOCATION_ID
https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#_SYSTEMD_INVOCATION_ID=
Data type |
keyword |
systemd.t.SYSTEMD_OWNER_UID
Data type |
keyword |
systemd.t.SYSTEMD_SESSION
Data type |
keyword |
systemd.t.SYSTEMD_SLICE
Data type |
keyword |
systemd.t.SYSTEMD_UNIT
Data type |
keyword |
systemd.t.SYSTEMD_USER_UNIT
Data type |
keyword |
systemd.t.TRANSPORT
Data type |
keyword |
systemd.t.UID
Data type |
keyword |
systemd.u
fields that are directly passed from clients and stored in the journal.
Data type |
group |
systemd.u.CODE_FILE
Data type |
keyword |
systemd.u.CODE_FUNCTION
Data type |
keyword |
systemd.u.CODE_LINE
Data type |
keyword |
systemd.u.ERRNO
Data type |
keyword |
systemd.u.MESSAGE_ID
Data type |
keyword |
systemd.u.SYSLOG_FACILITY
Data type |
keyword |
systemd.u.SYSLOG_IDENTIFIER
Data type |
keyword |
systemd.u.SYSLOG_PID
Data type |
keyword |
systemd.u.RESULT
For private use only.
Data type |
keyword |
systemd.u.UNIT
For private use only.
Data type |
keyword |
aushape
Audit events converted with aushape. For more information please see https://github.com/Scribery/aushape
Data type |
group |
aushape.serial
Audit event serial number
Data type |
long |
aushape.node
Name of the host where the audit event occurred
Data type |
keyword |
aushape.error
The error aushape encountered while converting the event
Data type |
text |
aushape.trimmed
An array of JSONPath expressions relative to the event object, specifying objects/arrays with (some) contents removed as the result of event size limiting. Empty string means event itself. Empty array means trimming occurred at unspecified objects/arrays.
Data type |
keyword |
aushape.text
An array log record strings representing the original audit event
Data type |
text |
aushape.data
Parsed audit event data
Data type |
group |
aushape.data.avc
⚠ No description.
Data type |
nested |
aushape.data.execve
⚠ No description.
Data type |
text |
aushape.data.netfilter_cfg
⚠ No description.
Data type |
nested |
aushape.data.obj_pid
⚠ No description.
Data type |
nested |
aushape.data.path
⚠ No description.
Data type |
nested |