- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
Elastic Agent Integration
editElastic Agent Integration
editVersion |
2.0.3 (View all) |
Compatible Kibana version(s) |
8.11.2 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
This integration provides observability for Elastic Agent metrics. It provides a dashboard to visualize the status of your agents so you can troubleshoot problems and determine when to add capacity.
You can enable or disable agent monitoring in the agent policy settings.
Metrics
editCore
editExported fields
Field | Description | Type |
---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host is running. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
Name of the project in Google Cloud. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host is running. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip address. |
ip |
host.mac |
Host mac address. |
keyword |
host.name |
Name of the host. It can contain what |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.full |
Operating system name, including the version or code name. |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. |
keyword |
elastic_agent.id |
Elastic agent id. |
|
elastic_agent.process |
Elastic agent process (elastic-agent, metricbeat, …). |
|
elastic_agent.version |
Elastic version as a raw string. |
Process
editThe Elastic Agent process
dataset provides process statistics about Elastic Agent processes. One document is
provided for each process.
Field | Description | Type |
---|---|---|
system.process.cpu.system.ticks |
The amount of CPU time the process spent in kernel space. |
long |
system.process.cpu.system.time.me |
The time when the process was started. |
date |
system.process.cpu.total.ticks |
The total CPU time spent by the process. |
long |
system.process.cpu.total.value |
The value of CPU usage since starting the process. |
long |
system.process.cpu.total.time.me |
The time when the process was started. |
date |
system.process.cpu.user.ticks |
The amount of CPU time the process spent in user space. |
long |
system.process.cpu.user.time.me |
The time when the process was started. |
date |
system.process.env |
The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. |
object |
system.process.fd.limit.soft |
The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. |
long |
system.process.fd.open |
The number of file descriptors open by the process. |
long |
system.process.memory.size |
The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. |
long |
system.process.cgroup.blkio.id |
ID of the cgroup. |
keyword |
system.process.cgroup.blkio.path |
Path to the cgroup relative to the cgroup subsystems mountpoint. |
keyword |
system.process.cgroup.blkio.total.bytes |
Total number of bytes transferred to and from all block devices by processes in the cgroup. |
long |
system.process.cgroup.blkio.total.ios |
Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. |
long |
system.process.cgroup.cpu.cfs.period.us |
Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated. |
long |
system.process.cgroup.cpu.cfs.quota.us |
Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). |
long |
system.process.cgroup.cpu.cfs.shares |
An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. |
long |
system.process.cgroup.cpu.id |
ID of the cgroup. |
keyword |
system.process.cgroup.cpu.path |
Path to the cgroup relative to the cgroup subsystem’s mountpoint. |
keyword |
system.process.cgroup.cpu.rt.period.us |
Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated. |
long |
system.process.cgroup.cpu.rt.runtime.us |
Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. |
long |
system.process.cgroup.cpu.stats.periods |
Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. |
long |
system.process.cgroup.cpu.stats.throttled.ns |
The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. |
long |
system.process.cgroup.cpu.stats.throttled.periods |
Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). |
long |
system.process.cgroup.cpuacct.id |
ID of the cgroup. |
keyword |
system.process.cgroup.cpuacct.path |
Path to the cgroup relative to the cgroup subsystem’s mountpoint. |
keyword |
system.process.cgroup.cpuacct.percpu |
CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. |
object |
system.process.cgroup.cpuacct.stats.system.ns |
CPU time consumed by tasks in user (kernel) mode. |
long |
system.process.cgroup.cpuacct.stats.user.ns |
CPU time consumed by tasks in user mode. |
long |
system.process.cgroup.cpuacct.total.ns |
Total CPU time in nanoseconds consumed by all tasks in the cgroup. |
long |
system.process.cgroup.id |
The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent. |
keyword |
system.process.cgroup.memory.id |
ID of the cgroup. |
keyword |
system.process.cgroup.memory.kmem.failures |
The number of times that the memory limit (kmem.limit.bytes) was reached. |
long |
system.process.cgroup.memory.kmem.limit.bytes |
The maximum amount of kernel memory that tasks in the cgroup are allowed to use. |
long |
system.process.cgroup.memory.kmem.usage.bytes |
Total kernel memory usage by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.kmem.usage.max.bytes |
The maximum kernel memory used by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.kmem_tcp.failures |
The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. |
long |
system.process.cgroup.memory.kmem_tcp.limit.bytes |
The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. |
long |
system.process.cgroup.memory.kmem_tcp.usage.bytes |
Total memory usage for TCP buffers in bytes. |
long |
system.process.cgroup.memory.kmem_tcp.usage.max.bytes |
The maximum memory used for TCP buffers by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.mem.failures |
The number of times that the memory limit (mem.limit.bytes) was reached. |
long |
system.process.cgroup.memory.mem.limit.bytes |
The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. |
long |
system.process.cgroup.memory.mem.usage.bytes |
Total memory usage by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.mem.usage.max.bytes |
The maximum memory used by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.memsw.failures |
The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. |
long |
system.process.cgroup.memory.memsw.limit.bytes |
The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. |
long |
system.process.cgroup.memory.memsw.usage.bytes |
The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.memsw.usage.max.bytes |
The maximum amount of memory and swap space used by processes in the cgroup (in bytes). |
long |
system.process.cgroup.memory.path |
Path to the cgroup relative to the cgroup subsystem’s mountpoint. |
keyword |
system.process.cgroup.memory.stats.active_anon.bytes |
Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. |
long |
system.process.cgroup.memory.stats.active_file.bytes |
File-backed memory on active LRU list, in bytes. |
long |
system.process.cgroup.memory.stats.cache.bytes |
Page cache, including tmpfs (shmem), in bytes. |
long |
system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes |
Memory limit for the hierarchy that contains the memory cgroup, in bytes. |
long |
system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes |
Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. |
long |
system.process.cgroup.memory.stats.inactive_anon.bytes |
Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes |
long |
system.process.cgroup.memory.stats.inactive_file.bytes |
File-backed memory on inactive LRU list, in bytes. |
long |
system.process.cgroup.memory.stats.major_page_faults |
Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. |
long |
system.process.cgroup.memory.stats.mapped_file.bytes |
Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. |
long |
system.process.cgroup.memory.stats.page_faults |
Number of times that a process in the cgroup triggered a page fault. |
long |
system.process.cgroup.memory.stats.pages_in |
Number of pages paged into memory. This is a counter. |
long |
system.process.cgroup.memory.stats.pages_out |
Number of pages paged out of memory. This is a counter. |
long |
system.process.cgroup.memory.stats.rss.bytes |
Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. |
long |
system.process.cgroup.memory.stats.rss_huge.bytes |
Number of bytes of anonymous transparent hugepages. |
long |
system.process.cgroup.memory.stats.swap.bytes |
Swap usage, in bytes. |
long |
system.process.cgroup.memory.stats.unevictable.bytes |
Memory that cannot be reclaimed, in bytes. |
long |
system.process.cgroup.path |
The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent. |
keyword |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
2.0.3 |
Bug fix (View pull request) |
8.11.2 or higher |
2.0.2 |
Bug fix (View pull request) |
8.11.2 or higher |
2.0.1 |
Bug fix (View pull request) |
8.11.2 or higher |
2.0.0 |
Enhancement (View pull request) |
8.11.2 or higher |
1.20.0 |
Enhancement (View pull request) |
8.11.2 or higher |
1.19.2 |
Enhancement (View pull request) |
8.11.2 or higher |
1.19.1 |
Enhancement (View pull request) |
8.11.2 or higher |
1.19.0 |
Enhancement (View pull request) |
8.11.2 or higher |
1.18.0 |
Enhancement (View pull request) |
8.11.2 or higher |
1.17.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.16.0 |
Bug fix (View pull request) |
8.9.0 or higher |
1.15.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.14.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.13.1 |
Bug fix (View pull request) Bug fix (View pull request) Bug fix (View pull request) |
8.9.0 or higher |
1.13.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.12.1 |
Enhancement (View pull request) |
8.9.0 or higher |
1.12.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.11.2 |
Enhancement (View pull request) |
8.9.0 or higher |
1.11.1 |
Bug fix (View pull request) |
8.9.0 or higher |
1.11.0 |
Enhancement (View pull request) |
8.9.0 or higher |
1.10.1 |
Enhancement (View pull request) |
8.9.0 or higher |
1.10.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.9.1 |
Bug fix (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.7.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.6.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.5.2 |
Enhancement (View pull request) |
7.16.0 or higher |
1.5.1 |
Bug fix (View pull request) |
7.16.0 or higher |
1.5.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.4.1 |
Enhancement (View pull request) |
7.16.0 or higher |
1.4.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.3.5 |
Bug fix (View pull request) |
7.16.0 or higher |
1.3.4 |
Enhancement (View pull request) |
7.16.0 or higher |
1.3.3 |
Enhancement (View pull request) |
7.16.0 or higher |
1.3.2 |
Bug fix (View pull request) |
— |
1.3.1 |
Bug fix (View pull request) |
7.16.0 or higher |
1.3.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.2.2 |
Enhancement (View pull request) |
— |
1.2.1 |
Bug fix (View pull request) |
7.15.0 or higher |
1.2.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.1.1 |
Bug fix (View pull request) |
7.15.0 or higher |
1.1.0 |
Enhancement (View pull request) |
— |
1.0.0 |
Enhancement (View pull request) |
7.14.0 or higher |
0.1.0 |
Enhancement (View pull request) |
— |
0.0.7 |
Bug fix (View pull request) |
— |
0.0.6 |
Bug fix (View pull request) |
— |
0.0.5 |
Enhancement (View pull request) |
— |
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now