The logging data model defines the fields that may be present in a log record. When log records are formatted as JSON objects, dotted names indicate nested fields.
| All fields are optional unless noted otherwise. |
message
Original log entry text, UTF-8 encoded
This field may be absent or empty if a non-empty structured field is present.
See the description of structured for more.
| Data type |
text |
| Example value |
|
structured
Original log entry as a structured object.
This field may be present if the forwarder was configured to parse structured JSON logs.
If the original log entry was a valid structured log, this field will contain an equivalent JSON structure.
Otherwise this field will be empty or absent, and the message field will contain the original log message.
The structured field includes the same sub-fields as the original log message.
| Data type |
group |
| Example value |
map[message:starting fluentd worker pid=21631 ppid=21618 worker=0 pid:21631 ppid:21618 worker:0] |
log_type
The type of log, a string that begins with "application", "infrastructure" or "audit".
- "application"
-
Container logs generated by user applications running in the cluster, except infrastructure containers.
- "infrastructure"
-
Node logs (such as syslog or journal logs), and container logs from pods in the openshift*, kube*, or default projects.
- "audit"
-
Node logs from auditd (/var/log/audit/audit.log), and audit logs from the Kubernetes and OpenShift apiservers.
The log_type field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node".
| Data type |
text |
| Example value |
application |
@timestamp
A UTC value that marks when the log payload was created or, if the creation time is not known, when the log payload was first collected. The “@” prefix denotes a field that is reserved for a particular use. By default, most tools look for “@timestamp” with ElasticSearch.
| Data type |
date |
| Example value |
|
hostname
The name of the host where this log message originated. In a Kubernetes cluster, this is the same as kubernetes.host.
| Data type |
keyword |
ipaddr4
The IPv4 address of the source server. Can be an array.
| Data type |
ip |
ipaddr6
The IPv6 address of the source server, if available. Can be an array.
| Data type |
ip |
level
The logging level from various sources, including rsyslog(severitytext property), python’s logging module, and others.
The following values come from syslog.h, and are preceded by their numeric equivalents:
-
0=emerg, system is unusable. -
1=alert, action must be taken immediately. -
2=crit, critical conditions. -
3=err, error conditions. -
4=warn, warning conditions. -
5=notice, normal but significant condition. -
6=info, informational. -
7=debug, debug-level messages.
The two following values are not part of syslog.h but are widely used:
-
8=trace, trace-level messages, which are more verbose thandebugmessages. -
9=unknown, when the logging system gets a value it doesn’t recognize.
Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from python logging, you can match CRITICAL with crit, ERROR with err, and so on.
| Data type |
keyword |
| Example value |
|
pid
The process ID of the logging entity, if available.
| Data type |
keyword |
service
The name of the service associated with the logging entity, if available. For example, syslog’s APP-NAME and rsyslog’s programname properties are mapped to the service field.
| Data type |
keyword |
tags
Optional. An operator-defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens or a JSON list of string tokens.
| Data type |
text |
file
The path to the log file from which the collector read this log entry. Normally, this is a path in the /var/log file system of a cluster node.
| Data type |
text |
offset
The offset value. Can represent bytes to the start of the log line in the file (zero- or one-based), or log line numbers (zero- or one-based), so long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation).
| Data type |
long |
kubernetes
The namespace for Kubernetes-specific metadata
| Data type |
group |
kubernetes.pod_name
The name of the pod
| Data type |
keyword |
kubernetes.pod_id
The Kubernetes ID of the pod
| Data type |
keyword |
kubernetes.namespace_name
The name of the namespace in Kubernetes
| Data type |
keyword |
kubernetes.namespace_id
The ID of the namespace in Kubernetes
| Data type |
keyword |
kubernetes.host
The Kubernetes node name
| Data type |
keyword |
kubernetes.container_name
The name of the container in Kubernetes
| Data type |
keyword |
kubernetes.annotations
Annotations associated with the Kubernetes object
| Data type |
group |
kubernetes.labels
Labels present on the original Kubernetes Pod
| Data type |
group |
kubernetes.event
The Kubernetes event obtained from the Kubernetes master API. This event description loosely follows type Event in Event v1 core.
| Data type |
group |
kubernetes.event.verb
The type of event, ADDED, MODIFIED, or DELETED
| Data type |
keyword |
| Example value |
|
kubernetes.event.metadata
Information related to the location and time of the event creation
| Data type |
group |
kubernetes.event.metadata.name
The name of the object that triggered the event creation
| Data type |
keyword |
| Example value |
|
kubernetes.event.metadata.namespace
The name of the namespace where the event originally occurred. Note that it differs from kubernetes.namespace_name, which is the namespace where the eventrouter application is deployed.
| Data type |
keyword |
| Example value |
|
kubernetes.event.metadata.selfLink
A link to the event
| Data type |
keyword |
| Example value |
|
kubernetes.event.metadata.uid
The unique ID of the event
| Data type |
keyword |
| Example value |
|
kubernetes.event.metadata.resourceVersion
A string that identifies the server’s internal version of the event. Clients can use this string to determine when objects have changed.
| Data type |
integer |
| Example value |
|
kubernetes.event.involvedObject
The object that the event is about.
| Data type |
group |
kubernetes.event.involvedObject.kind
The type of object
| Data type |
keyword |
| Example value |
|
kubernetes.event.involvedObject.namespace
The namespace name of the involved object. Note that it may differ from kubernetes.namespace_name, which is the namespace where the eventrouter application is deployed.
| Data type |
keyword |
| Example value |
|
kubernetes.event.involvedObject.name
The name of the object that triggered the event
| Data type |
keyword |
| Example value |
|
kubernetes.event.involvedObject.uid
The unique ID of the object
| Data type |
keyword |
| Example value |
|
kubernetes.event.involvedObject.apiVersion
The version of kubernetes master API
| Data type |
keyword |
| Example value |
|
kubernetes.event.involvedObject.resourceVersion
A string that identifies the server’s internal version of the pod that triggered the event. Clients can use this string to determine when objects have changed.
| Data type |
keyword |
| Example value |
|
kubernetes.event.reason
A short machine-understandable string that gives the reason for generating this event
| Data type |
keyword |
| Example value |
|
kubernetes.event.source_component
The component that reported this event
| Data type |
keyword |
| Example value |
|
kubernetes.event.firstTimestamp
The time at which the event was first recorded
| Data type |
date |
| Example value |
|
kubernetes.event.count
The number of times this event has occurred
| Data type |
integer |
| Example value |
|
kubernetes.event.type
The type of event, Normal or Warning. New types could be added in the future.
| Data type |
keyword |
| Example value |
|
openshift
The namespace for openshift-logging specific metadata
| Data type |
group |
openshift.labels
Labels added by the Cluster Log Forwarder configuration
| Data type |
group |
systemd
Contains common fields specific to systemd journal. For more information please see https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html Applications may write their own fields to the journal. These will be available under the systemd.u namespace. RESULT and UNIT are two such fields.
| Data type |
group |
systemd.k
systemd’s kernel-specific metadata.
| Data type |
group |
systemd.k.KERNEL_DEVICE
| Data type |
keyword |
systemd.k.KERNEL_SUBSYSTEM
| Data type |
keyword |
systemd.k.UDEV_DEVLINK
| Data type |
keyword |
systemd.k.UDEV_DEVNODE
| Data type |
keyword |
systemd.k.UDEV_SYSNAME
| Data type |
keyword |
systemd.t
trusted journal fields, fields that are implicitly added by the journal and cannot be altered by client code.
| Data type |
group |
systemd.t.AUDIT_LOGINUID
| Data type |
keyword |
systemd.t.BOOT_ID
| Data type |
keyword |
systemd.t.AUDIT_SESSION
| Data type |
keyword |
systemd.t.CAP_EFFECTIVE
| Data type |
keyword |
systemd.t.CMDLINE
| Data type |
keyword |
systemd.t.COMM
| Data type |
keyword |
systemd.t.EXE
| Data type |
keyword |
systemd.t.GID
| Data type |
keyword |
systemd.t.HOSTNAME
| Data type |
keyword |
systemd.t.LINE_BREAK
| Data type |
keyword |
systemd.t.MACHINE_ID
| Data type |
keyword |
systemd.t.PID
| Data type |
keyword |
systemd.t.SELINUX_CONTEXT
| Data type |
keyword |
systemd.t.SOURCE_REALTIME_TIMESTAMP
https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#_SOURCE_REALTIME_TIMESTAMP= This is converted to RFC 3339 NS format
| Data type |
keyword |
systemd.t.STREAM_ID
| Data type |
keyword |
systemd.t.SYSTEMD_CGROUP
| Data type |
keyword |
systemd.t.SYSTEMD_INVOCATION_ID
https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#_SYSTEMD_INVOCATION_ID=
| Data type |
keyword |
systemd.t.SYSTEMD_OWNER_UID
| Data type |
keyword |
systemd.t.SYSTEMD_SESSION
| Data type |
keyword |
systemd.t.SYSTEMD_SLICE
| Data type |
keyword |
systemd.t.SYSTEMD_UNIT
| Data type |
keyword |
systemd.t.SYSTEMD_USER_UNIT
| Data type |
keyword |
systemd.t.TRANSPORT
| Data type |
keyword |
systemd.t.UID
| Data type |
keyword |
systemd.u
fields that are directly passed from clients and stored in the journal.
| Data type |
group |
systemd.u.CODE_FILE
| Data type |
keyword |
systemd.u.CODE_FUNCTION
| Data type |
keyword |
systemd.u.CODE_LINE
| Data type |
keyword |
systemd.u.ERRNO
| Data type |
keyword |
systemd.u.MESSAGE_ID
| Data type |
keyword |
systemd.u.SYSLOG_FACILITY
| Data type |
keyword |
systemd.u.SYSLOG_IDENTIFIER
| Data type |
keyword |
systemd.u.SYSLOG_PID
| Data type |
keyword |
systemd.u.RESULT
For private use only.
| Data type |
keyword |
systemd.u.UNIT
For private use only.
| Data type |
keyword |
aushape
Audit events converted with aushape. For more information please see https://github.com/Scribery/aushape
| Data type |
group |
aushape.serial
Audit event serial number
| Data type |
long |
aushape.node
Name of the host where the audit event occurred
| Data type |
keyword |
aushape.error
The error aushape encountered while converting the event
| Data type |
text |
aushape.trimmed
An array of JSONPath expressions relative to the event object, specifying objects/arrays with (some) contents removed as the result of event size limiting. Empty string means event itself. Empty array means trimming occurred at unspecified objects/arrays.
| Data type |
keyword |
aushape.text
An array log record strings representing the original audit event
| Data type |
text |
aushape.data
Parsed audit event data
| Data type |
group |
aushape.data.avc
⚠ No description.
| Data type |
nested |
aushape.data.execve
⚠ No description.
| Data type |
text |
aushape.data.netfilter_cfg
⚠ No description.
| Data type |
nested |
aushape.data.obj_pid
⚠ No description.
| Data type |
nested |
aushape.data.path
⚠ No description.
| Data type |
nested |